diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 6dbc487f58..d3f5beecbb 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -9,6 +9,7 @@
       "build_output_subfolder": "mdop-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -25,6 +26,7 @@
       "build_output_subfolder": "windows-manage-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -41,6 +43,7 @@
       "build_output_subfolder": "smb-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -57,6 +60,7 @@
       "build_output_subfolder": "surface-hub-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -73,6 +77,7 @@
       "build_output_subfolder": "microsoft-edge-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -89,6 +94,7 @@
       "build_output_subfolder": "win-development-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -105,6 +111,7 @@
       "build_output_subfolder": "windows-plan-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -121,6 +128,7 @@
       "build_output_subfolder": "win-client-management-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -137,6 +145,7 @@
       "build_output_subfolder": "win-threat-protection-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -153,6 +162,7 @@
       "build_output_subfolder": "win-app-management-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -169,6 +179,7 @@
       "build_output_subfolder": "windows-deploy-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -185,6 +196,7 @@
       "build_output_subfolder": "keep-secure-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -201,6 +213,7 @@
       "build_output_subfolder": "surface-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -217,6 +230,7 @@
       "build_output_subfolder": "windows-hub-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -233,6 +247,7 @@
       "build_output_subfolder": "internet-explorer-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -249,6 +264,7 @@
       "build_output_subfolder": "bcs-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": false,
       "type_mapping": {
         "Conceptual": "Content",
@@ -265,6 +281,7 @@
       "build_output_subfolder": "win-access-protection-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -281,6 +298,7 @@
       "build_output_subfolder": "win-device-security-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -297,6 +315,7 @@
       "build_output_subfolder": "education-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -313,6 +332,7 @@
       "build_output_subfolder": "store-for-business-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -329,6 +349,7 @@
       "build_output_subfolder": "win-configuration-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -345,6 +366,7 @@
       "build_output_subfolder": "windows-update-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -361,6 +383,7 @@
       "build_output_subfolder": "win-whats-new-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -377,6 +400,7 @@
       "build_output_subfolder": "itpro-hololens-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -393,6 +417,7 @@
       "build_output_subfolder": "windows-configure-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -402,6 +427,23 @@
       "build_entry_point": "docs",
       "template_folder": "_themes",
       "version": 0
+    },
+    {
+      "docset_name": "microsoft-365",
+      "build_source_folder": "microsoft-365",
+      "build_output_subfolder": "microsoft-365",
+      "locale": "en-us",
+      "monikers": [],
+      "moniker_groups": [],
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content",
+        "ManagedReference": "Content",
+        "RestApi": "Content"
+      },
+      "build_entry_point": "docs",
+      "template_folder": "_themes",
+      "version": 0
     }
   ],
   "notification_subscribers": [
@@ -435,10 +477,6 @@
     "master": [
       "Publish",
       "Pdf"
-    ],
-    "msesdemo": [
-      "Publish",
-      "Pdf"
     ]
   },
   "need_generate_pdf_url_template": true,
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index a860bdea45..ef3741bb12 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -227,7 +227,12 @@
 },
 {
 "source_path": "windows/manage/set-up-a-device-for-anyone-to-use.md",
-"redirect_url": "/windows/configuration/set-up-a-device-for-anyone-to-use",
+"redirect_url": "/windows/configuration/kiosk-shared-pc",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/configuration/set-up-a-device-for-anyone-to-use.md",
+"redirect_url": "/windows/configuration/kiosk-shared-pc",
 "redirect_document_id": true
 },
 {
@@ -7647,7 +7652,7 @@
 },
 {
 "source_path": "windows/manage/manage-corporate-devices.md",
-"redirect_url": "/windows/client-management/manage-corporate-devices",
+"redirect_url": "/windows/client-management/index",
 "redirect_document_id": true
 },
 {
@@ -8274,6 +8279,16 @@
 "source_path": "windows/manage/change-history-for-manage-and-update-windows-10.md",
 "redirect_url": "/windows/windows-10/index",
 "redirect_document_id": true
+},
+{
+"source_path": "windows/deployment/update/waas-servicing-branches-windows-10-updates.md",
+"redirect_url": "/windows/deployment/update/waas-servicing-channels-windows-10-updates",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deployment/windows-10-enterprise-activation-subscription.md",
+"redirect_url": "/windows/deployment/windows-10-enterprise-subscription-activation",
+"redirect_document_id": true
 }
 ]
 }
\ No newline at end of file
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 99dceed75d..bd183c2b97 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -31,7 +31,7 @@ We've tried to make editing an existing, public file as simple as possible.
     ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png)
 
 4.	Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
-    - **If you're linked to the Microsoft organization in GitHub:** [Windows Open Publishing Guide Home](http://aka.ms/windows-op-guide)
+    - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
     
     - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) 
 
diff --git a/bcs/TOC.md b/bcs/TOC.md
index 06913f7aef..ec9e79cbfc 100644
--- a/bcs/TOC.md
+++ b/bcs/TOC.md
@@ -1 +1 @@
-# [Index](index.md)
\ No newline at end of file
+# [Microsoft 365 Business FAQ](support/microsoft-365-business-faqs.md)
\ No newline at end of file
diff --git a/bcs/breadcrumb/toc.yml b/bcs/breadcrumb/toc.yml
new file mode 100644
index 0000000000..6a29a6b202
--- /dev/null
+++ b/bcs/breadcrumb/toc.yml
@@ -0,0 +1,11 @@
+- name: Docs
+  tocHref: /
+  topicHref: /
+  items:
+    - name: Microsoft 365 Business
+      tocHref: /microsoft-365-business/
+      topicHref: /microsoft-365-business/index
+      items:
+      - name: Support
+        tocHref: /microsoft-365-business/support/
+        topicHref: /microsoft-365-business/support/microsoft-365-business-faqs    
\ No newline at end of file
diff --git a/bcs/docfx.json b/bcs/docfx.json
index 4e3f166ece..aa19bbfd9b 100644
--- a/bcs/docfx.json
+++ b/bcs/docfx.json
@@ -3,7 +3,8 @@
     "content": [
       {
         "files": [
-          "**/*.md"
+          "**/*.md",
+          "**/**.yml"
         ],
         "exclude": [
           "**/obj/**",
@@ -19,7 +20,9 @@
       {
         "files": [
           "**/*.png",
-          "**/*.jpg"
+          "**/*.svg",
+          "**/*.jpg",
+          "**/*.json"
         ],
         "exclude": [
           "**/obj/**",
@@ -30,6 +33,7 @@
     "overwrite": [],
     "externalReference": [],
     "globalMetadata": {
+    "breadcrumb_path": "/microsoft-365-business/breadcrumb/toc.json",
 		"_op_documentIdPathDepotMapping": {
 			"./": {
 			  "depot_name": "TechNet.bcs"
diff --git a/bcs/images/bcs-information-product-help-office.svg b/bcs/images/bcs-information-product-help-office.svg
new file mode 100644
index 0000000000..a748576afa
--- /dev/null
+++ b/bcs/images/bcs-information-product-help-office.svg
@@ -0,0 +1,94 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-8 {
+        fill: none;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-1 {
+        stroke: #d1d3d4;
+        stroke-dasharray: 3 3;
+      }
+
+      .cls-2 {
+        fill: #80def9;
+      }
+
+      .cls-3 {
+        fill: #aae9fb;
+      }
+
+      .cls-4 {
+        fill: #556a8a;
+      }
+
+      .cls-5 {
+        fill: #bad80a;
+      }
+
+      .cls-6 {
+        fill: #c6df33;
+      }
+
+      .cls-7 {
+        fill: #00bcf2;
+      }
+
+      .cls-8 {
+        stroke: #556a8a;
+      }
+    </style>
+  </defs>
+  <title>bcs-information-product-help-office</title>
+  <g>
+    <ellipse class="cls-1" cx="200" cy="71" rx="133" ry="39"/>
+    <g>
+      <circle class="cls-2" cx="201" cy="29" r="16" transform="translate(38.37 150.62) rotate(-45)"/>
+      <path class="cls-3" d="M212.31,17.69a16,16,0,0,1,0,22.62L189.69,17.69A16,16,0,0,1,212.31,17.69Z"/>
+    </g>
+    <g>
+      <circle class="cls-2" cx="131" cy="39" r="16" transform="translate(10.79 104.05) rotate(-45)"/>
+      <path class="cls-3" d="M142.31,27.69a16,16,0,0,1,0,22.62L119.69,27.69A16,16,0,0,1,142.31,27.69Z"/>
+    </g>
+    <g>
+      <circle class="cls-2" cx="274" cy="39" r="16" transform="translate(52.68 205.17) rotate(-45)"/>
+      <path class="cls-3" d="M285.31,27.69a16,16,0,0,1,0,22.62L262.69,27.69A16,16,0,0,1,285.31,27.69Z"/>
+    </g>
+    <g>
+      <circle class="cls-2" cx="68" cy="67" r="16" transform="translate(-27.46 67.71) rotate(-45)"/>
+      <path class="cls-3" d="M79.31,55.69a16,16,0,0,1,0,22.62L56.69,55.69A16,16,0,0,1,79.31,55.69Z"/>
+    </g>
+    <g>
+      <circle class="cls-2" cx="332" cy="67" r="16" transform="translate(49.86 254.38) rotate(-45)"/>
+      <path class="cls-3" d="M343.31,55.69a16,16,0,0,1,0,22.62L320.69,55.69A16,16,0,0,1,343.31,55.69Z"/>
+    </g>
+  </g>
+  <path class="cls-4" d="M68.12,75.89v2.86H66.75V76a8.27,8.27,0,0,1-4.56-1.13V72.57a6.17,6.17,0,0,0,2.09,1.13,7.63,7.63,0,0,0,2.47.46V67.4A10.34,10.34,0,0,1,63,64.83a4.89,4.89,0,0,1,.45-6.09,5.41,5.41,0,0,1,3.31-1.67V54.7h1.37V57a7.3,7.3,0,0,1,3.57.74V60a6,6,0,0,0-3.57-1.13v7a11.22,11.22,0,0,1,3.75,2.52,4.24,4.24,0,0,1,1,2.78,4.3,4.3,0,0,1-1.26,3.14A6.12,6.12,0,0,1,68.12,75.89ZM66.75,65.08V58.94a3,3,0,0,0-1.75,1,2.74,2.74,0,0,0-.65,1.84,3.08,3.08,0,0,0,.53,1.86A5.68,5.68,0,0,0,66.75,65.08Zm1.37,3v6q2.54-.55,2.54-2.74Q70.67,69.49,68.12,68.09Z"/>
+  <path class="cls-4" d="M199.23,33.78a6.71,6.71,0,0,1-.25-1.05,7.7,7.7,0,0,1-.11-1.29,4,4,0,0,1,.4-1.8,7.47,7.47,0,0,1,1-1.51,15,15,0,0,1,1.3-1.35q.7-.65,1.3-1.31a7.5,7.5,0,0,0,1-1.39,3.28,3.28,0,0,0,.4-1.6,2.94,2.94,0,0,0-.29-1.33,2.81,2.81,0,0,0-.79-1,3.47,3.47,0,0,0-1.16-.59,4.86,4.86,0,0,0-1.39-.2A6.06,6.06,0,0,0,196,21.47V18.72a9.19,9.19,0,0,1,5-1.5,7.79,7.79,0,0,1,2.23.31,5.51,5.51,0,0,1,1.84.93A4.38,4.38,0,0,1,206.31,20a4.8,4.8,0,0,1,.45,2.14,5,5,0,0,1-.41,2.06,7.45,7.45,0,0,1-1,1.66A13.21,13.21,0,0,1,204,27.28q-.72.66-1.34,1.3a7.15,7.15,0,0,0-1,1.35,3,3,0,0,0-.41,1.55,4.62,4.62,0,0,0,.17,1.3,9.19,9.19,0,0,0,.34,1Zm1.41,6.5a1.73,1.73,0,0,1-1.22-.5,1.63,1.63,0,0,1-.52-1.22,1.6,1.6,0,0,1,.52-1.22,1.7,1.7,0,0,1,2.44,0,1.6,1.6,0,0,1,.52,1.22,1.63,1.63,0,0,1-.52,1.22A1.73,1.73,0,0,1,200.64,40.28Z"/>
+  <g>
+    <g id="desk">
+      <polygon class="cls-5" points="272.42 113 127.58 113 155.8 88 235.86 88 272.42 113"/>
+      <rect class="cls-4" x="127" y="113" width="145" height="8"/>
+    </g>
+    <polygon class="cls-6" points="272.42 113 270.53 113 171.34 88 235.86 88 272.42 113"/>
+    <path class="cls-7" d="M212.59,76.16a17.69,17.69,0,0,1-1,5.92c-2.09,5.86-7.19,10-13.15,10-7.81,0-14.15-7.13-14.15-15.92a16.31,16.31,0,0,1,7.39-14,12.8,12.8,0,0,1,6.76-1.94C206.25,60.23,212.59,67.36,212.59,76.16Z"/>
+    <path class="cls-7" d="M224.18,100.42c-1.65-2.34-2.77-4-6.54-4.49-1.73-.23-5.93-.92-6.06-.91l-12-.86v0l-.28,0-.28,0v0L187,95c-.13,0-4.33.68-6.06.91-3.77.51-4.88,2.15-6.54,4.49C172.46,103.1,170.5,130,170.5,130h8l.88-12.47-1-.92,5.31-13.43-2.07,25.41c0,1.2.66,1.41,1.86,1.41h31c1.2,0,2.39-.22,2.39-1.41l-2.07-25.41,5.31,13.43-1,.92,1.1,12.41,8.25.06S226.07,103.1,224.18,100.42Z"/>
+    <path id="chair" class="cls-4" d="M177,130V103.49c0-2.74,2.13-5.49,4.74-5.49h34.52c2.61,0,4.74,2.74,4.74,5.49V130Z"/>
+  </g>
+  <g>
+    <path class="cls-8" d="M264.84,37.09v-1a9.08,9.08,0,0,1,18.16,0v1"/>
+    <path class="cls-4" d="M280,36v8h3.75A3.54,3.54,0,0,0,286,41.26V36Z"/>
+    <path class="cls-4" d="M268,36v8h-3.75A3.54,3.54,0,0,1,262,41.26V36Z"/>
+    <path class="cls-8" d="M265.62,42.23s-.67,7.4,5.38,6.73"/>
+    <rect class="cls-4" x="271" y="46" width="7" height="6" rx="1.79" ry="1.79"/>
+  </g>
+  <polygon class="cls-4" points="137.79 34.79 132 40.59 132 26 130 26 130 40.59 124.21 34.79 122.79 36.21 131 44.41 139.21 36.21 137.79 34.79"/>
+  <rect class="cls-4" x="123" y="47" width="16" height="2"/>
+  <g>
+    <polygon class="cls-8" points="342.5 75 321.5 75 332 55 342.5 75"/>
+    <polygon class="cls-4" points="331.5 70 332.5 70 333 62 331 62 331.5 70"/>
+    <circle class="cls-4" cx="332.02" cy="72.02" r="1"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-information-product-help-windows10.svg b/bcs/images/bcs-information-product-help-windows10.svg
new file mode 100644
index 0000000000..f9c36f40be
--- /dev/null
+++ b/bcs/images/bcs-information-product-help-windows10.svg
@@ -0,0 +1,122 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #d1d3d4;
+      }
+
+      .cls-2 {
+        fill: #d1e55c;
+      }
+
+      .cls-3 {
+        fill: #e6e7e8;
+      }
+
+      .cls-4 {
+        fill: #0078d7;
+      }
+
+      .cls-5 {
+        fill: #ff9f2b;
+      }
+
+      .cls-6 {
+        fill: #ff8c00;
+      }
+
+      .cls-7 {
+        fill: #556a8a;
+      }
+
+      .cls-12, .cls-8 {
+        fill: #fff;
+      }
+
+      .cls-9 {
+        fill: #e5e5e5;
+      }
+
+      .cls-10 {
+        fill: #2bc7f4;
+      }
+
+      .cls-11 {
+        fill: none;
+      }
+
+      .cls-11, .cls-12 {
+        stroke: #556a8a;
+      }
+
+      .cls-11, .cls-12, .cls-15 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-13 {
+        fill: #55d2f6;
+      }
+
+      .cls-14 {
+        fill: #e6e6e6;
+      }
+
+      .cls-15 {
+        fill: #aae9fb;
+        stroke: #00bcf2;
+      }
+    </style>
+  </defs>
+  <title>bcs-information-product-help-windows10</title>
+  <polygon class="cls-1" points="173.04 74 140.71 74 124.54 102 140.71 130 173.04 130 189.21 102 173.04 74"/>
+  <polygon class="cls-1" points="173.04 16 140.71 16 124.54 44 140.71 72 173.04 72 189.21 44 173.04 16"/>
+  <polygon class="cls-2" points="136.87 73 120.7 101 88.37 101 72.21 73 88.37 45 120.7 45 136.87 73"/>
+  <circle class="cls-3" cx="289.4" cy="73.17" r="44.4"/>
+  <g>
+    <polygon class="cls-4" points="279 71 279 48.19 256 51.43 256 71 279 71"/>
+    <polygon class="cls-4" points="282 71 316 71 316 43.33 282 47.71 282 71"/>
+    <polygon class="cls-4" points="282 73 282 97.76 316 102.34 316 73 282 73"/>
+    <polygon class="cls-4" points="279 73 256 73 256 93.74 279 96.97 279 73"/>
+  </g>
+  <polygon class="cls-2" points="241.67 73 225.5 101 193.17 101 177.01 73 193.17 45 225.5 45 241.67 73"/>
+  <g>
+    <g>
+      <g>
+        <path class="cls-5" d="M81.36,98c-.61.2-1.27.39-1.94.57C83.5,81.58,91.55,84.65,91.55,84.65l1.31,1.24,0,.16C93.19,87.17,94.28,93.86,81.36,98Z"/>
+        <path class="cls-6" d="M81.36,98c4-14,10.85-12.13,11.54-11.91C93.19,87.17,94.28,93.86,81.36,98Z"/>
+        <polygon class="cls-7" points="93.54 89.25 87.84 83.55 92.4 82.41 94.54 84.56 93.54 89.25"/>
+      </g>
+      <polygon class="cls-7" points="94.68 76.62 79.28 76.05 77 73.76 90.12 67.49 95.6 69.55 94.68 76.62"/>
+      <polygon class="cls-7" points="101.2 81.27 101.77 96.67 104.05 98.95 110.33 85.83 108.27 80.35 101.2 81.27"/>
+      <g>
+        <path class="cls-8" d="M98.13,88.06H98l-.14-.12-8.13-8.48,0-.2A33.67,33.67,0,0,1,99,62.9c7.38-7.34,24.58-10.42,25.31-10.55l.56-.1-.09.56s-.3,1.79-.92,4.4c-1.67,7-4.68,16.46-9.46,21.27C106.91,86,98.81,88.06,98.13,88.06Z"/>
+        <path class="cls-9" d="M123.39,58.2C122,63.94,119.06,73.88,114,78.94a32.91,32.91,0,0,1-15.95,9.12l-4.53-4.53a32.86,32.86,0,0,1,9.13-16C107.73,62.53,117.64,59.57,123.39,58.2Z"/>
+        <path class="cls-10" d="M125,52a74.22,74.22,0,0,0-14.76,4.4L121,67.21A99.29,99.29,0,0,0,125,52Z"/>
+        <path class="cls-11" d="M98.13,88.06H98l-.14-.12-8.13-8.48,0-.2A33.67,33.67,0,0,1,99,62.9c7.38-7.34,24.58-10.42,25.31-10.55l.56-.1-.09.56s-.3,1.79-.92,4.4c-1.67,7-4.68,16.46-9.46,21.27C106.91,86,98.81,88.06,98.13,88.06Z"/>
+      </g>
+    </g>
+    <circle class="cls-12" cx="106" cy="70" r="4"/>
+  </g>
+  <rect class="cls-11" x="148" y="79" width="18" height="25" rx="9" ry="9"/>
+  <path class="cls-8" d="M172,96.39v22.22a1.39,1.39,0,0,1-1.38,1.39H142.38a1.39,1.39,0,0,1-1.38-1.39V96.39A1.39,1.39,0,0,1,142.38,95h28.24A1.39,1.39,0,0,1,172,96.39Z"/>
+  <path class="cls-9" d="M172,96v21.84L148.75,94.64h21.84A1.41,1.41,0,0,1,172,96Z"/>
+  <path class="cls-11" d="M172,118.61a1.38,1.38,0,0,1-1.38,1.39H142.38a1.38,1.38,0,0,1-1.38-1.39V96.39A1.38,1.38,0,0,1,142.38,95h28.24A1.38,1.38,0,0,1,172,96.39Z"/>
+  <g>
+    <path class="cls-8" d="M177,30.08V55.53a1.27,1.27,0,0,1-1.25,1.28h-37.5A1.27,1.27,0,0,1,137,55.53V30.08a1.22,1.22,0,0,1,.06-.38,1.29,1.29,0,0,1,1.19-.9h37.5a1.21,1.21,0,0,1,.89.39,1.19,1.19,0,0,1,.31.56A1,1,0,0,1,177,30.08Z"/>
+    <rect class="cls-9" x="137" y="28.55" width="4" height="28.45"/>
+    <rect class="cls-9" x="173" y="29" width="4" height="28.33"/>
+    <polygon class="cls-13" points="137.65 29.12 157 41.38 176.35 29.12 137.65 29.12"/>
+    <path class="cls-11" d="M177,30.28V55.72A1.27,1.27,0,0,1,175.75,57h-37.5A1.27,1.27,0,0,1,137,55.72V30.28a1.22,1.22,0,0,1,.06-.38,1.29,1.29,0,0,1,1.19-.9h37.5a1.21,1.21,0,0,1,.89.39,1.19,1.19,0,0,1,.31.56A1,1,0,0,1,177,30.28Z"/>
+    <polyline class="cls-11" points="137.65 29.76 157 41.38 176.35 29.76"/>
+  </g>
+  <g>
+    <rect class="cls-12" x="196" y="50" width="26" height="22.7"/>
+    <path class="cls-8" d="M232,66.54V84.46c0,.85-.2,1.54-1.07,1.54H188.07c-.87,0-2.07-.69-2.07-1.54V66.54c0-.85,1.2-1.54,2.07-1.54h42.86C231.8,65,232,65.69,232,66.54Z"/>
+    <path class="cls-14" d="M232,66.54V83L214,65h16.93C231.8,65,232,65.69,232,66.54Z"/>
+    <path class="cls-11" d="M232,66.54V84.46c0,.85-.2,1.54-1.07,1.54H188.07c-.87,0-2.07-.69-2.07-1.54V66.54c0-.85,1.2-1.54,2.07-1.54h42.86C231.8,65,232,65.69,232,66.54Z"/>
+    <rect class="cls-7" x="194" y="80.56" width="30" height="5.44"/>
+    <rect class="cls-15" x="195" y="80" width="28" height="13"/>
+    <rect class="cls-7" x="192" y="79" width="34" height="2" rx="1" ry="1"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-iw-devicesetup-move-files-2.svg b/bcs/images/bcs-iw-devicesetup-move-files-2.svg
new file mode 100644
index 0000000000..8eff6a423a
--- /dev/null
+++ b/bcs/images/bcs-iw-devicesetup-move-files-2.svg
@@ -0,0 +1,76 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #fff;
+      }
+
+      .cls-2, .cls-6 {
+        fill: none;
+      }
+
+      .cls-2 {
+        stroke: #556a8a;
+      }
+
+      .cls-2, .cls-4, .cls-6 {
+        stroke-miterlimit: 10;
+      }
+
+      .cls-2, .cls-4 {
+        stroke-width: 2px;
+      }
+
+      .cls-3, .cls-7 {
+        fill: #80def9;
+      }
+
+      .cls-4 {
+        fill: #2bc7f4;
+        stroke: #0078d7;
+      }
+
+      .cls-5 {
+        fill: #00bcf2;
+      }
+
+      .cls-5, .cls-6, .cls-7 {
+        fill-rule: evenodd;
+      }
+
+      .cls-6 {
+        stroke: #80def9;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-move-files-2</title>
+  <g>
+    <g>
+      <path class="cls-1" d="M106.32,24.07h-33A1.27,1.27,0,0,0,72,25.36v79.43a1.27,1.27,0,0,0,1.27,1.28h58.45a1.27,1.27,0,0,0,1.27-1.28V49.69Z"/>
+      <path class="cls-2" d="M106.32,24.07h-33A1.27,1.27,0,0,0,72,25.36v79.43a1.27,1.27,0,0,0,1.27,1.28h58.45a1.27,1.27,0,0,0,1.27-1.28V49.69Z"/>
+      <polyline class="cls-2" points="106 24.44 106 50.07 132.21 50.07"/>
+    </g>
+    <g>
+      <path class="cls-1" d="M97.32,33h-33A1.27,1.27,0,0,0,63,34.28v79.43A1.27,1.27,0,0,0,64.27,115h58.45a1.27,1.27,0,0,0,1.27-1.28V58.62Z"/>
+      <polygon class="cls-3" points="124 59.07 97.05 59.07 97 33.07 124 59.07"/>
+      <path class="cls-2" d="M97.32,33h-33A1.27,1.27,0,0,0,63,34.28v79.43A1.27,1.27,0,0,0,64.27,115h58.45a1.27,1.27,0,0,0,1.27-1.28V58.62Z"/>
+      <polyline class="cls-2" points="97 33.07 97 59 123.26 59"/>
+    </g>
+  </g>
+  <circle class="cls-4" cx="292" cy="70" r="53.5"/>
+  <g>
+    <path class="cls-1" d="M325.81,71.18a9.12,9.12,0,0,1,7.88,9.46c0,4.13-2.31,9-7.88,9H280.73c-8.65,0-11.77-5.92-11.77-12,0-10.21,11.37-10.57,11.37-10.57s.93-11.17,10.86-13.43c8.86-2,13.84,2.63,16.25,6.21a13.59,13.59,0,0,1,11.5-.4,11.6,11.6,0,0,1,6.88,11.71"/>
+    <path class="cls-1" d="M266.09,78c0-11.38,12-13.07,12-13.07s1.54-10.91,12.44-13.71c8.44-2.17,14.85,1.63,17.58,5.86,0,0,1.83-1.3,5.9-1.19A18.45,18.45,0,0,0,302.46,41c-9.66-3.75-18.12.93-22.07,8a13.73,13.73,0,0,0-13.1-.22,14.58,14.58,0,0,0-7.48,14.32s-10.13.74-10.13,11.63a11.64,11.64,0,0,0,11.16,11.27h7.54a14.48,14.48,0,0,1-2.3-8"/>
+  </g>
+  <g>
+    <g>
+      <polygon class="cls-5" points="224.66 74.13 205 94.48 205 85 148 85 148 64 205 64 205 53.9 224.66 74.13 224.66 74.13 224.66 74.13"/>
+      <polygon class="cls-6" points="207.36 67.5 207.36 67.5 148 67.5 176.5 67.5 207.36 67.5 207.36 67.5"/>
+      <polygon class="cls-6" points="217.34 74.5 217.34 74.5 148 74.5 186.47 74.5 217.34 74.5 217.34 74.5"/>
+      <polygon class="cls-6" points="209.38 81.5 209.38 81.5 148 81.5 176.5 81.5 209.38 81.5 209.38 81.5"/>
+      <polygon class="cls-7" points="209 67.4 205 70.9 205 63.9 209 67.4"/>
+      <polygon class="cls-7" points="212 81.4 206 85.9 206 76.9 212 81.4"/>
+    </g>
+    <polygon class="cls-7" points="222 74.4 217 78.9 217 69.9 222 74.4"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-iw-devicesetup-setup-1.svg b/bcs/images/bcs-iw-devicesetup-setup-1.svg
new file mode 100644
index 0000000000..6011499c3a
--- /dev/null
+++ b/bcs/images/bcs-iw-devicesetup-setup-1.svg
@@ -0,0 +1,91 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-6, .cls-7 {
+        fill: none;
+      }
+
+      .cls-1, .cls-10, .cls-11, .cls-2, .cls-7 {
+        stroke: #556a8a;
+      }
+
+      .cls-1, .cls-10, .cls-11, .cls-2, .cls-6, .cls-7 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-1 {
+        stroke-dasharray: 3 3;
+      }
+
+      .cls-2, .cls-8 {
+        fill: #fff;
+      }
+
+      .cls-3 {
+        fill: #80def9;
+      }
+
+      .cls-4 {
+        fill: #2bc7f4;
+      }
+
+      .cls-5 {
+        fill: #9273b6;
+      }
+
+      .cls-6 {
+        stroke: #fff;
+        fill-rule: evenodd;
+      }
+
+      .cls-9 {
+        fill: #e5e5e5;
+      }
+
+      .cls-10 {
+        fill: #e6e7e8;
+      }
+
+      .cls-11 {
+        fill: #aae9fb;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-setup-1</title>
+  <g>
+    <line class="cls-1" x1="76" y1="70" x2="337" y2="70"/>
+    <rect class="cls-2" x="39" y="20" width="53" height="100" rx="4" ry="4"/>
+    <rect class="cls-3" x="44" y="32" width="43" height="72"/>
+    <path class="cls-4" d="M72.64,29H60.07a1.53,1.53,0,0,1,0-3H72.64a1.53,1.53,0,0,1,0,3Z"/>
+    <circle class="cls-4" cx="84.5" cy="111.5" r="2.5"/>
+    <circle class="cls-4" cx="46.5" cy="111.5" r="2.5"/>
+    <rect class="cls-4" x="58" y="111" width="15" height="3" rx="1" ry="1"/>
+  </g>
+  <g>
+    <path class="cls-2" d="M118.11,72.63l4.47.67a17.31,17.31,0,0,0,.46,3l-3.69,2.38a1.17,1.17,0,0,0-.66,1.59L119.8,83a1,1,0,0,0,1.43.49l4.49-.94L127.14,85l-2.58,3.5a1.19,1.19,0,0,0,0,1.6l2.22,2.26a1.44,1.44,0,0,0,1.6,0l3.53-2.53c.8.48,1.76,1.12,2.55,1.61l-1,4.47a1.1,1.1,0,0,0,.62,1.29l2.72,1.13a1,1,0,0,0,1.45-.46l2.43-4a9.35,9.35,0,0,0,2.87.67l.61,4.48a1.1,1.1,0,0,0,1.11,1.13l3-.15c.48.16,1-.32,1.12-.79l.84-4.64a9.64,9.64,0,0,0,2.88-.61l2.38,4a1.59,1.59,0,0,0,1.43.49l2.89-1.26a1.09,1.09,0,0,0,.65-1.27l-1.1-4.34a5.66,5.66,0,0,0,.62-.42c.13-.09.27-.19.4-.3.47-.35.94-.74,1.4-1l3.66,2.74a1,1,0,0,0,1.44-.15l1.34-1.32.75-.75,0,0a1,1,0,0,0,.14-1.41l-2.69-3.7a13.13,13.13,0,0,0,1.78-2.71l4.46,1.3A1.42,1.42,0,0,0,174.2,83l1.13-2.72a1.39,1.39,0,0,0-.62-1.6l-3.83-2.27c.33-1,.33-1.92.66-2.87L176,73a1.42,1.42,0,0,0,1-1.28V68.83a1.36,1.36,0,0,0-.93-1.29L171.42,67a18.27,18.27,0,0,0-.61-3.21l4-2.37a1,1,0,0,0,.5-1.44l-1.11-2.72a1.49,1.49,0,0,0-1.43-.81l-4.5,1.25c-.47-.8-.94-1.61-1.42-2.41l2.75-3.66a1.48,1.48,0,0,0-.16-1.44L167.23,48a1.2,1.2,0,0,0-1.43-.17l-3.7,2.71c-.8-.5-1.75-1.14-2.55-1.62l1-4.48a1.07,1.07,0,0,0-.62-1.28L157,41.82a1.38,1.38,0,0,0-1.45.47l-2.26,3.84c-1,0-1.92-.33-2.88-.35L150,41.14a1.4,1.4,0,0,0-1.28-1l-3-.18a1.87,1.87,0,0,0-1.12,1.1l-.68,4.49c-1.12.15-2.08.47-3.2.61l-2.21-3.85a1.11,1.11,0,0,0-1.44-.49L134.32,43a1.3,1.3,0,0,0-.82,1.43l1.1,4.33a10.34,10.34,0,0,0-2.41,1.75l-3.67-2.75a1.07,1.07,0,0,0-1.61,0L125,49.63l-.17.16a1.09,1.09,0,0,0,0,1.6l2.69,3.7a7.16,7.16,0,0,0-1.37,1.85l-.12.22c-.1.2-.2.41-.29.63l-4.47-1.3a1.09,1.09,0,0,0-1.28.62L118.68,60a1.63,1.63,0,0,0,.47,1.45l4,2.42a7.93,7.93,0,0,0-.51,2.72l-4.65.76c-.47.17-1,.64-1,1l0,3.2A1.08,1.08,0,0,0,118.11,72.63Z"/>
+    <path class="cls-5" d="M133.16,64.3A15,15,0,1,1,132,70.15,14.82,14.82,0,0,1,133.16,64.3Z"/>
+    <polyline class="cls-6" points="136.24 70.26 143.99 78.01 158.24 63.76"/>
+  </g>
+  <g>
+    <rect class="cls-7" x="221" y="36" width="27" height="36" rx="12" ry="12"/>
+    <path class="cls-8" d="M257,60V92a2,2,0,0,1-2,2H215a2,2,0,0,1-2-2V60a2,2,0,0,1,2-2H255A2,2,0,0,1,257,60Z"/>
+    <path class="cls-9" d="M257,60V91L224,58h31A2,2,0,0,1,257,60Z"/>
+    <path class="cls-7" d="M257,92a2,2,0,0,1-2,2H215a2,2,0,0,1-2-2V60a2,2,0,0,1,2-2H255a2,2,0,0,1,2,2Z"/>
+  </g>
+  <circle class="cls-2" cx="329.38" cy="71" r="32"/>
+  <g>
+    <g>
+      <circle class="cls-10" cx="316.63" cy="59.5" r="7.5"/>
+      <path class="cls-10" d="M305.13,78a11.51,11.51,0,0,1,23,0"/>
+    </g>
+    <g>
+      <circle class="cls-10" cx="342.13" cy="59.5" r="7.5"/>
+      <path class="cls-10" d="M330.63,78a11.51,11.51,0,0,1,23,0"/>
+    </g>
+    <g>
+      <circle class="cls-11" cx="328.63" cy="73.5" r="7.5"/>
+      <path class="cls-11" d="M317.13,92a11.51,11.51,0,0,1,23,0"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management- add-group-5.svg b/bcs/images/bcs-partner-advanced-management- add-group-5.svg
new file mode 100644
index 0000000000..435e4bc752
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management- add-group-5.svg	
@@ -0,0 +1,69 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+      }
+
+      .cls-2, .cls-8 {
+        fill: #e5e5e5;
+      }
+
+      .cls-2, .cls-3, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-2, .cls-3, .cls-4, .cls-5, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3, .cls-4, .cls-5, .cls-7 {
+        fill: #fff;
+      }
+
+      .cls-4 {
+        stroke: #00bcf2;
+      }
+
+      .cls-5 {
+        stroke: #7750a3;
+      }
+
+      .cls-6 {
+        fill: #9273b6;
+      }
+
+      .cls-9 {
+        fill: none;
+      }
+
+      .cls-10 {
+        fill: #008272;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management- add-group-5</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M258.77,52.72a43.25,43.25,0,0,0-85.48-1.37A29.37,29.37,0,0,0,126,66.46a25.54,25.54,0,0,0-6.12-.77,26,26,0,0,0,0,52H264.78c14.7-3,25.77-16.76,25.77-32.48A32.34,32.34,0,0,0,258.77,52.72Z"/>
+    <g>
+      <circle class="cls-2" cx="217.62" cy="46.5" r="16.5"/>
+      <path class="cls-2" d="M242.62,87c0-13.25-11.19-24-25-24s-25,10.75-25,24"/>
+    </g>
+    <g>
+      <circle class="cls-3" cx="186.62" cy="66.5" r="16.5"/>
+      <path class="cls-3" d="M211.62,107c0-13.25-11.19-24-25-24s-25,10.75-25,24"/>
+    </g>
+    <path class="cls-4" d="M295,34.32V34a11.57,11.57,0,0,0-.37-2.87,10.41,10.41,0,0,0-17.1-7.39A12,12,0,0,0,267.43,19c-7.62,0-13.36,6.65-13.49,14.13,0,.52.13.9.13,1.42-4,1.94-6.32,5.29-6.32,9.55a11.44,11.44,0,0,0,11.14,11.32c.44,5.27,13.18,11.64,23.6,4.1a13.46,13.46,0,0,0,6.37,1.74c7.67,0,13.89-6.8,13.89-14.47A13.89,13.89,0,0,0,295,34.32Z"/>
+    <circle class="cls-5" cx="252.62" cy="85" r="20"/>
+    <path class="cls-6" d="M149.28,73.46a.9.9,0,0,0,.86.54l1.82-.19a.9.9,0,0,0,.68-1l-.06-2.25c-.11-.6,0-1.15,1.72-2.15a1.57,1.57,0,0,1,1.55.09L158,69.7a1.06,1.06,0,0,0,1-.18l1.25-1.58a.94.94,0,0,0-.31-1.12l-1.7-1.63a1.14,1.14,0,0,1-.33-1.4s.49-2.27,1.44-2.44l2.09-.49a1.12,1.12,0,0,0,.68-1l-.34-2a.69.69,0,0,0-.81-.55h-.05l-2.26.07c-.6.09-1.88-1.49-2.15-1.76a2.25,2.25,0,0,1,0-1.69l1.21-1.86a1,1,0,0,0-.18-1.26l-1.58-.94a.9.9,0,0,0-1.13,0l-1.48,1.86c-.37.45-1.08.88-2.68.23,0,0-1.18-.69-1.32-1.25l-.46-2.36a.9.9,0,0,0-.86-.54l-2,.34a.69.69,0,0,0-.51.84v0l-.07,2.39c0,.84-1.36,1.73-1.64,2a1.48,1.48,0,0,1-1.69,0l-2-1.34a1.1,1.1,0,0,0-1.12.31l-1.25,1.58a1.24,1.24,0,0,0,.31,1.12l1.74,1.64c1,.76.41,1.87.21,2.67-.09.43-.26.86-1.24,1l-2.24.63A.9.9,0,0,0,136,62l.34,2a.9.9,0,0,0,.72.68l2.39-.2c.84,0,1.14.24,1.29.67a12.6,12.6,0,0,1,.73,1.25,1.26,1.26,0,0,1,.18,1.51l-1.34,2a1.09,1.09,0,0,0,.31,1.11l1.44,1.09a.9.9,0,0,0,1.13,0l1.5-1.87a1.43,1.43,0,0,1,1.53-.45l1.28.38c.56,0,.86.26,1.15,1.09l.62,2.23m4.57-13.22a5,5,0,0,1-4.07,5.46,4.6,4.6,0,0,1-5.4-3.63q0-.22-.06-.44a4.72,4.72,0,0,1,3.93-5.32,4.79,4.79,0,0,1,5.6,3.8l0,.12"/>
+    <g>
+      <path class="cls-7" d="M149.86,90.8c0-.35-.58-1.06-1.62-1.1l-4-.26A1.91,1.91,0,0,1,142.35,88s-1.84-3.45-.79-4.7l2.15-2.9a1.85,1.85,0,0,0-.22-2l-2.56-2.16a1.17,1.17,0,0,0-1.64.18s0,0,0,.07L136.42,79a2.26,2.26,0,0,1-2.71.52c-.68,0-1.32-.4-2-.44a3.78,3.78,0,0,1-1.84-2.18l-.46-3.71a1.7,1.7,0,0,0-1.6-1.41l-3,.5a1.5,1.5,0,0,0-1.41,1.27l.12,4c0,1-.15,2.67-3.19,3.2,0,0-2.27.4-3-.16l-3.16-2.54a1.48,1.48,0,0,0-1.68.25l-.24.28-1.91,2.28a1.17,1.17,0,0,0,.25,1.63l0,0,2.5,3.15c1.44,1.42.13,3.69.08,4.35A2.47,2.47,0,0,1,111,91.91l-4,.47A1.84,1.84,0,0,0,105.9,94l.11,3.37a2.07,2.07,0,0,0,1.61,1.11l4,.21c1.33.07,2.27.42,3.17,3.2.35.66.6,1.4-.49,2.65l-2.18,3.24a1.54,1.54,0,0,0,.24,1.7l2.57,2.15a1.5,1.5,0,0,0,1.66.09l2.85-2.85c1-1,3.92,0,4.67.27a2.1,2.1,0,0,1,1.85,1.74l.48,4A1.83,1.83,0,0,0,128,116l3-.16a1.5,1.5,0,0,0,1.41-1.27l-.1-4c0-1,4.66-4,6.2-3l1.75,1,2,1.13c.57.28.76.18,1.22-.23l2.13-2.23a1.52,1.52,0,0,0-.23-2l-2.51-2.82c-.78-.64-.37-3-.12-4.63a2.3,2.3,0,0,1,2.09-1.57l4.07-.78C150.53,94.91,149.86,90.8,149.86,90.8Zm-26.68,9.56c-.19-.16-.38-.32-.56-.49A7.72,7.72,0,0,1,121.84,89s0,0,.06-.08a8.12,8.12,0,0,1,11.3-1.17l.16.12,0,0a8.09,8.09,0,0,1,.7,11.24,7.64,7.64,0,0,1-1.33,1.28A7.82,7.82,0,0,1,123.18,100.36Z"/>
+      <path class="cls-8" d="M148.94,95.44l-4.07.78a2.3,2.3,0,0,0-2.09,1.57c-.25,1.62-.66,4,.12,4.63l2.51,2.82a1.52,1.52,0,0,1,.23,2l-2.13,2.23c-.46.41-.65.51-1.22.23l-2-1.13-7.63-8.14A7.64,7.64,0,0,0,134,99.18a8.09,8.09,0,0,0-.7-11.24l0,0-.16-.12A8.12,8.12,0,0,0,121.9,89s0,.05-.06.08l-9.65-10.45.24-.28a1.48,1.48,0,0,1,1.68-.25l3.16,2.54c.78.56,3,.16,3,.16,3-.53,3.2-2.21,3.19-3.2l-.12-4a1.5,1.5,0,0,1,1.41-1.27l3-.5a1.7,1.7,0,0,1,1.6,1.41l.46,3.71a3.78,3.78,0,0,0,1.84,2.18c.64,0,1.28.4,2,.44a2.26,2.26,0,0,0,2.71-.52l2.82-2.54s0,0,0-.07a1.17,1.17,0,0,1,1.64-.18l2.56,2.16a1.85,1.85,0,0,1,.22,2l-2.15,2.9c-1.05,1.25.79,4.7.79,4.7a1.91,1.91,0,0,0,1.94,1.43l4,.26c1,0,1.64.75,1.62,1.1C149.86,90.8,150.53,94.91,148.94,95.44Z"/>
+      <path class="cls-9" d="M142.29,109.73c.56.27.76.18,1.21-.24l2.13-2.22a1.51,1.51,0,0,0-.22-2l-2.51-2.82c-.79-.64-.37-3-.12-4.63a2.29,2.29,0,0,1,2.09-1.57l4.07-.78c1.59-.53.92-4.65.92-4.65,0-.34-.58-1.06-1.61-1.1l-4-.24c-.91,0-3.77-4.89-2.73-6.14l2.16-2.9a1.88,1.88,0,0,0-.22-2l-2.56-2.15a1.16,1.16,0,0,0-1.64.18l-.05.07L136.42,79c-.68.77-6.2-1.16-6.51-2.09l-.46-3.71a1.71,1.71,0,0,0-1.6-1.42l-3,.5a1.51,1.51,0,0,0-1.41,1.27l.12,4c0,1-.15,2.65-3.19,3.19,0,0-2.27.4-3.05-.17l-3.15-2.54a1.51,1.51,0,0,0-1.69.25l-2.15,2.56a1.16,1.16,0,0,0,.26,1.63l0,0,2.5,3.15c1.44,1.42.13,3.7.07,4.35A2.48,2.48,0,0,1,111,91.91l-4,.47a1.85,1.85,0,0,0-1.1,1.61l.12,3.38a2.09,2.09,0,0,0,1.61,1.1l4,.22c1.33.07,2.27.42,3.17,3.2.35.65.6,1.39-.48,2.66l-2.18,3.24a1.51,1.51,0,0,0,.25,1.69l2.56,2.15a1.51,1.51,0,0,0,1.67.09l2.84-2.85c1.05-.95,6.37,1.08,6.53,2l.47,4a1.83,1.83,0,0,0,1.61,1.09l3-.16a1.51,1.51,0,0,0,1.41-1.27l-.1-4c0-1,4.66-4,6.2-3Z"/>
+      <circle class="cls-9" cx="127.99" cy="94.09" r="8"/>
+    </g>
+    <rect class="cls-10" x="249" y="71" width="6" height="28"/>
+    <rect class="cls-10" x="249" y="71" width="6" height="28" transform="translate(167 337) rotate(-90)"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management- billing-7.svg b/bcs/images/bcs-partner-advanced-management- billing-7.svg
new file mode 100644
index 0000000000..50af1d2262
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management- billing-7.svg	
@@ -0,0 +1,115 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #e6e7e8;
+      }
+
+      .cls-1, .cls-2 {
+        stroke: #fff;
+        stroke-linecap: round;
+        stroke-linejoin: round;
+        stroke-width: 0.08px;
+      }
+
+      .cls-2, .cls-6 {
+        fill: #80def9;
+      }
+
+      .cls-3 {
+        fill: #f2f2f2;
+      }
+
+      .cls-10, .cls-11, .cls-12, .cls-3, .cls-4, .cls-9 {
+        fill-rule: evenodd;
+      }
+
+      .cls-4 {
+        fill: #c6df33;
+      }
+
+      .cls-15, .cls-5 {
+        fill: #fff;
+      }
+
+      .cls-5, .cls-8 {
+        stroke: #556a8a;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-7 {
+        fill: #e5e5e5;
+      }
+
+      .cls-8 {
+        fill: none;
+      }
+
+      .cls-9 {
+        fill: #bad80a;
+      }
+
+      .cls-10, .cls-17 {
+        fill: #7750a3;
+      }
+
+      .cls-11 {
+        fill: #00bcf2;
+      }
+
+      .cls-12 {
+        fill: #9273b6;
+      }
+
+      .cls-13 {
+        fill: #556a8a;
+      }
+
+      .cls-14 {
+        fill: #e4edf1;
+      }
+
+      .cls-16 {
+        fill: #2bc7f4;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management- billing-7</title>
+  <g id="ICONS">
+    <circle class="cls-1" cx="100" cy="54" r="31"/>
+    <circle class="cls-2" cx="165" cy="73" r="56.5"/>
+    <circle class="cls-1" cx="283" cy="72" r="31"/>
+    <path class="cls-3" d="M147.5,81.5a6,6,0,1,1-6-6A6,6,0,0,1,147.5,81.5Z"/>
+    <path class="cls-4" d="M286,107a12,12,0,1,1-12-12A11.94,11.94,0,0,1,286,107Z"/>
+    <rect class="cls-5" x="154" y="33" width="117" height="73"/>
+    <rect class="cls-6" x="163" y="42" width="94.4" height="16"/>
+    <rect class="cls-7" x="155" y="34" width="14" height="71"/>
+    <rect class="cls-7" x="256" y="34" width="14" height="71"/>
+    <line class="cls-8" x1="176" y1="77" x2="214" y2="77"/>
+    <line class="cls-8" x1="176" y1="85" x2="214" y2="85"/>
+    <line class="cls-8" x1="176" y1="93" x2="214" y2="93"/>
+    <g>
+      <path class="cls-9" d="M169,35.83A27.82,27.82,0,1,1,141.17,8,27.69,27.69,0,0,1,169,35.83Z"/>
+      <path class="cls-4" d="M169,35.83a27.69,27.69,0,0,1-8.29,19.8L121.36,16.29A27.82,27.82,0,0,1,169,35.83Z"/>
+    </g>
+    <g>
+      <path class="cls-10" d="M129.68,99.5A21.17,21.17,0,1,1,108.5,78.32,21.07,21.07,0,0,1,129.68,99.5Z"/>
+      <path class="cls-11" d="M105,54A12,12,0,1,1,93,42,11.94,11.94,0,0,1,105,54Z"/>
+      <path class="cls-11" d="M306,102a6,6,0,1,1-6-6A6,6,0,0,1,306,102Z"/>
+      <path class="cls-12" d="M82,32a6,6,0,1,1-6-6A6,6,0,0,1,82,32Z"/>
+      <path class="cls-12" d="M129.68,99.5a21.07,21.07,0,0,1-6.31,15.06L93.43,84.63A21.17,21.17,0,0,1,129.68,99.5Z"/>
+    </g>
+    <path class="cls-13" d="M141.56,52.81v5.13H139.1V53a14.83,14.83,0,0,1-8.18-2V46.86a11.08,11.08,0,0,0,3.75,2,13.69,13.69,0,0,0,4.43.82V37.59q-5.2-2.5-6.74-4.62a8.27,8.27,0,0,1-1.54-5,8.36,8.36,0,0,1,2.34-5.92,9.69,9.69,0,0,1,5.93-3V14.81h2.46V19q4.63.14,6.4,1.32v4a10.74,10.74,0,0,0-6.4-2V34.76q4.92,2.34,6.72,4.53a7.59,7.59,0,0,1,1.81,5,7.7,7.7,0,0,1-2.26,5.64A11,11,0,0,1,141.56,52.81ZM139.1,33.43v-11A5.39,5.39,0,0,0,136,24.18a4.91,4.91,0,0,0-1.16,3.3,5.52,5.52,0,0,0,.95,3.33A10.17,10.17,0,0,0,139.1,33.43Zm2.46,5.39V49.5q4.56-1,4.56-4.92Q146.12,41.32,141.56,38.82Z"/>
+    <path class="cls-14" d="M108.84,112.07v3.59h-2v-3.46a11.2,11.2,0,0,1-6-1.42v-3.69a8.23,8.23,0,0,0,2.74,1.47,10,10,0,0,0,3.23.6V101.8q-3.9-1.8-5.05-3.33a5.81,5.81,0,0,1-1.15-3.61,5.89,5.89,0,0,1,1.75-4.26,7.41,7.41,0,0,1,4.45-2.16v-3h2v2.91a10.35,10.35,0,0,1,4.8.93v3.54a8.42,8.42,0,0,0-4.8-1.42v7.63a14.79,14.79,0,0,1,5,3.28,5.64,5.64,0,0,1-.33,7.66A8.16,8.16,0,0,1,108.84,112.07Zm-2-14v-6.6a3.47,3.47,0,0,0-2,1.06,2.84,2.84,0,0,0-.73,2,3.2,3.2,0,0,0,.6,2A6.41,6.41,0,0,0,106.8,98.11Zm2,4.58v6.37q2.81-.59,2.81-2.93Q111.65,104.18,108.84,102.69Z"/>
+    <g>
+      <rect class="cls-7" x="244.38" y="71.99" width="43.92" height="3.99" transform="translate(25.69 210) rotate(-45)"/>
+      <path class="cls-15" d="M286.45,53.49l-.94-.94a5.34,5.34,0,0,0-7.53,0l-31,31-4.24,12.71L255.45,92l31-31A5.34,5.34,0,0,0,286.45,53.49Z"/>
+      <polygon class="cls-16" points="255.3 91.25 255.1 91.44 243.8 95.2 247.56 83.9 247.76 83.72 255.3 91.25"/>
+      <path class="cls-16" d="M287.33,57.26a4.63,4.63,0,0,1-1.36,3.3l-3.1,3.1-7.53-7.53,3.1-3.1A4.68,4.68,0,0,1,285,53L286,54A4.6,4.6,0,0,1,287.33,57.26Z"/>
+      <path class="cls-8" d="M286.45,53.49l-.94-.94a5.34,5.34,0,0,0-7.53,0l-31,31-4.24,12.71L255.45,92l31-31A5.34,5.34,0,0,0,286.45,53.49Z"/>
+      <line class="cls-8" x1="247.7" y1="83.14" x2="255.55" y2="91"/>
+    </g>
+    <path class="cls-17" d="M296.51,88.75a.9.9,0,0,0,.86.54l1.82-.19a.9.9,0,0,0,.68-1l-.06-2.25c-.11-.6,0-1.15,1.72-2.15a1.57,1.57,0,0,1,1.55.09L305.24,85a1.06,1.06,0,0,0,1-.18l1.25-1.58a.94.94,0,0,0-.31-1.12l-1.7-1.63a1.14,1.14,0,0,1-.33-1.4s.49-2.27,1.44-2.44l2.09-.49a1.12,1.12,0,0,0,.68-1l-.34-2a.69.69,0,0,0-.81-.55h-.05l-2.26.07c-.6.09-1.88-1.49-2.15-1.76a2.25,2.25,0,0,1,0-1.69l1.21-1.86a1,1,0,0,0-.18-1.26l-1.58-.94a.9.9,0,0,0-1.13,0l-1.48,1.86c-.37.45-1.08.88-2.68.23,0,0-1.18-.69-1.32-1.25l-.46-2.36a.9.9,0,0,0-.86-.54l-2,.34a.69.69,0,0,0-.51.84v0l-.07,2.39c0,.84-1.36,1.73-1.64,2a1.48,1.48,0,0,1-1.69,0l-2-1.34a1.1,1.1,0,0,0-1.12.31L285,69.37a1.24,1.24,0,0,0,.31,1.12L287,72.13c1,.76.41,1.87.21,2.67-.09.43-.26.86-1.24,1l-2.24.63a.9.9,0,0,0-.54.86l.34,2a.9.9,0,0,0,.72.68l2.39-.2c.84,0,1.14.24,1.29.67a12.6,12.6,0,0,1,.73,1.25,1.26,1.26,0,0,1,.18,1.51l-1.34,2a1.09,1.09,0,0,0,.31,1.11l1.44,1.09a.9.9,0,0,0,1.13,0l1.5-1.87a1.43,1.43,0,0,1,1.53-.45l1.28.38c.56,0,.86.26,1.15,1.09l.62,2.23m4.57-13.22A5,5,0,0,1,297,81a4.6,4.6,0,0,1-5.4-3.63q0-.22-.06-.44a4.72,4.72,0,0,1,3.93-5.32,4.79,4.79,0,0,1,5.6,3.8l0,.12"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management- install-4.svg b/bcs/images/bcs-partner-advanced-management- install-4.svg
new file mode 100644
index 0000000000..24f2df79ca
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management- install-4.svg	
@@ -0,0 +1,62 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3 {
+        fill: #adbdca;
+      }
+
+      .cls-4 {
+        fill: #fff;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6 {
+        fill: none;
+        stroke: #556a8a;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-7 {
+        fill: #0078d7;
+      }
+
+      .cls-8 {
+        fill: #2bc7f4;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management- install-4</title>
+  <g>
+    <path class="cls-1" d="M325.08,70.39a36.68,36.68,0,0,0-72.4-1.15,25,25,0,0,0-40.09,12.69,21.82,21.82,0,1,0-5.18,43H330.17C342.63,122.41,352,110.85,352,97.66A27.27,27.27,0,0,0,325.08,70.39Z"/>
+    <polygon class="cls-2" points="209.75 129 92.75 129 100.07 121 202.9 121 209.75 129"/>
+    <polygon class="cls-3" points="198.75 127 103.75 127 107.09 123 195.51 123 198.75 127"/>
+    <polygon class="cls-2" points="174 109 122 109 116 115 180 115 174 109"/>
+    <polygon class="cls-2" points="153.25 114 146.25 114 147.65 100 151.85 100 153.25 114"/>
+    <rect class="cls-4" x="74" y="20" width="151" height="82" rx="4" ry="4"/>
+    <path class="cls-5" d="M226.25,24V36h-151V24a4,4,0,0,1,4-4h143A4,4,0,0,1,226.25,24Z"/>
+    <rect class="cls-6" x="74" y="20" width="151" height="82" rx="4" ry="4" transform="translate(299 122) rotate(180)"/>
+  </g>
+  <g>
+    <rect class="cls-2" x="129" y="89" width="40" height="2"/>
+    <polygon class="cls-2" points="167.6 63.38 149.99 81.17 149.99 37 148.01 37 148.01 81.17 130.4 63.38 129 64.79 149 85 169 64.79 167.6 63.38"/>
+  </g>
+  <g>
+    <polygon class="cls-7" points="283 88 314 88 314 61.16 283 65.5 283 88"/>
+    <polygon class="cls-7" points="281 88 281 65.85 256 69.14 256 88 281 88"/>
+    <polygon class="cls-7" points="281 90 256 90 256 109.42 281 112.7 281 90"/>
+    <polygon class="cls-7" points="283 90 283 113.2 314 117.55 314 90 283 90"/>
+  </g>
+  <path class="cls-8" d="M93.29,69.07a2.13,2.13,0,0,0,2.31.85l4.25-1.36A2.28,2.28,0,0,0,101,65.84l-1.28-5.3a3.16,3.16,0,0,1,1.21-3.74c.51-.82,1.43-1.39,1.94-2.21a3.83,3.83,0,0,1,3.74-.54l5.7,1.82a2.58,2.58,0,0,0,2.24-.88l2.13-4.37c.26-.41,0-1.7-1.29-2.5l-4.93-3A2.79,2.79,0,0,1,109,41.91l-.39-.41a3.71,3.71,0,0,0,.46-2.57c-.32-1.33,0-2.82,2.28-3.71L116.07,33a2.7,2.7,0,0,0,1.11-2.72l-1.7-4.51a1.7,1.7,0,0,0-2.24-.89l-.08,0-5.3,1.34a3.26,3.26,0,0,1-3.79-1.21c-.82-.51-1.39-1.43-2.21-1.94a5.47,5.47,0,0,1-1-4l2-5.1a2.47,2.47,0,0,0-1-2.92L97.63,9.69a2.07,2.07,0,0,0-2.67.63L92.32,15.5a3.49,3.49,0,0,1-3.4,1.87,10.58,10.58,0,0,0-2.82,0l-.41-.26a3.6,3.6,0,0,1-3.33-2L80,9.72a2.13,2.13,0,0,0-2.31-.85l-4.51,1.7a1.7,1.7,0,0,0-.89,2.24l0,.08,1,5.73c.48,2,0,2.82-1,3.4-.51.82-1.43,1.39-1.94,2.21a3.59,3.59,0,0,1-4,.94L61,22.93a2.65,2.65,0,0,0-2.43,1.36l-2.21,4.37a3,3,0,0,0,1.29,2.5l4.93,3c1.7,1,2.21,1.94,1.45,3.18a23.31,23.31,0,0,0,.37,3.08c-.09,1-.19,2.14-2.43,3l-5,2.58a2.13,2.13,0,0,0-.87,2.31l1.7,4.51a2.18,2.18,0,0,0,2.06,1.28l5.58-1.7c2-.48,2.82,0,3.4,1A30.6,30.6,0,0,1,71.17,56a3.06,3.06,0,0,1,1.19,3.59L70.13,65a2.65,2.65,0,0,0,1.29,2.5l4,1.87a2.07,2.07,0,0,0,2.67-.63l2.7-5.19a3.4,3.4,0,0,1,3.4-1.87l3.23.29c1.33-.31,2.16.19,3.28,2l2.58,5m4.4-33.65a12,12,0,0,1-7,15,11.17,11.17,0,0,1-15.11-7,11.48,11.48,0,0,1,6.8-14.59,11.63,11.63,0,0,1,15.19,6.29l.11.27"/>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management- management-4_placeholder.svg b/bcs/images/bcs-partner-advanced-management- management-4_placeholder.svg
new file mode 100644
index 0000000000..81370d6388
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management- management-4_placeholder.svg	
@@ -0,0 +1,39 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-3, .cls-4 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #505c6d;
+      }
+
+      .cls-1, .cls-4 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        fill: #00bcf2;
+      }
+
+      .cls-4 {
+        stroke: #556a8a;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management- management-4</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M225.61,52.71v-.66a26.61,26.61,0,0,0-.86-6.61,23.92,23.92,0,0,0-39.32-17c-5.82-7.33-13.24-11-23.17-11-17.51,0-30.71,15.28-31,32.49,0,1.19.3,2.08.3,3.26C122.34,57.69,117,65.4,117,75.2c0,14,11,25.21,25.6,26,1.34,9.72,10.05,18.74,25,18.74,12.59,0,20.1,1,29.28-9.32a30.94,30.94,0,0,0,14.64,4c17.64,0,31.94-15.63,31.94-33.27A31.94,31.94,0,0,0,225.61,52.71Z"/>
+    <path class="cls-2" d="M205,72.06h-7V45.44l4-5.16-4-12.14h-5.32l-4,12L193,45.44V72.06h-7v6.66h4c0,2.49-2.66,5.51-4,5.61V99.81c0,4.11,2.6,8.19,5.32,8.19h8c2.72,0,5.69-4.7,5.69-8.81v-15c-1.33,0-4.36-3-4.36-5.51H205Z"/>
+    <rect class="cls-3" x="192" y="82" width="2" height="23"/>
+    <rect class="cls-3" x="197" y="82" width="2" height="23"/>
+    <path class="cls-4" d="M178.48,42.77c0-6.45-4.48-12-9.48-14.52V38.78l-6.5,5.32L156,38.78V28.25c-6,2.52-9.32,8.08-9.32,14.52s3.32,12,9.32,14.51V104a4.74,4.74,0,0,0,4.92,5h1.33c2.93,0,5.75-2.07,5.75-5V57.82A16.09,16.09,0,0,0,178.48,42.77Z"/>
+    <rect class="cls-5" x="157" y="96" width="10" height="7"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management- reports-9.svg b/bcs/images/bcs-partner-advanced-management- reports-9.svg
new file mode 100644
index 0000000000..f34b2f595e
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management- reports-9.svg	
@@ -0,0 +1,106 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-10, .cls-11, .cls-3 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #d1d3d4;
+      }
+
+      .cls-1, .cls-10, .cls-11, .cls-2, .cls-5, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2, .cls-5, .cls-9 {
+        fill: none;
+      }
+
+      .cls-2 {
+        stroke: #2ac7f4;
+      }
+
+      .cls-4 {
+        fill: #e5e5e5;
+      }
+
+      .cls-5 {
+        stroke: #556a8a;
+      }
+
+      .cls-6 {
+        fill: #414042;
+      }
+
+      .cls-7 {
+        fill: #2bc7f4;
+      }
+
+      .cls-8 {
+        fill: #55d2f6;
+      }
+
+      .cls-9 {
+        stroke: #c0b0ff;
+      }
+
+      .cls-10 {
+        stroke: #00bcf2;
+      }
+
+      .cls-11 {
+        stroke: #b4a0ff;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management- reports-9</title>
+  <g id="ICONS">
+    <g>
+      <line class="cls-1" x1="154" y1="122" x2="154" y2="27"/>
+      <line class="cls-1" x1="172" y1="122" x2="172" y2="27"/>
+      <line class="cls-1" x1="190" y1="122" x2="190" y2="27"/>
+      <line class="cls-1" x1="208" y1="122" x2="208" y2="27"/>
+      <line class="cls-1" x1="226" y1="122" x2="226" y2="27"/>
+      <line class="cls-1" x1="244" y1="122" x2="244" y2="27"/>
+      <line class="cls-1" x1="262" y1="122" x2="262" y2="27"/>
+      <line class="cls-1" x1="280" y1="122" x2="280" y2="27"/>
+      <line class="cls-1" x1="298" y1="122" x2="298" y2="27"/>
+      <line class="cls-1" x1="316" y1="122" x2="316" y2="27"/>
+      <line class="cls-1" x1="334" y1="122" x2="334" y2="27"/>
+    </g>
+    <polyline class="cls-2" points="244 88 244 121 222 121 207 40 194 121 172 121 172 69"/>
+    <rect class="cls-3" x="71" y="27" width="76" height="95" rx="2" ry="2"/>
+    <rect class="cls-4" x="71" y="28" width="13" height="93"/>
+    <rect class="cls-5" x="71" y="27" width="76" height="95" rx="2" ry="2"/>
+    <g>
+      <rect class="cls-6" x="65" y="39" width="10" height="4"/>
+      <rect class="cls-7" x="70" y="39" width="5" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-6" x="65" y="55" width="10" height="4"/>
+      <rect class="cls-7" x="70" y="55" width="5" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-6" x="65" y="71" width="10" height="4"/>
+      <rect class="cls-7" x="70" y="71" width="5" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-6" x="65" y="87" width="10" height="4"/>
+      <rect class="cls-7" x="70" y="87" width="5" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-6" x="65" y="103" width="10" height="4"/>
+      <rect class="cls-7" x="70" y="103" width="5" height="4"/>
+    </g>
+    <rect class="cls-8" x="92" y="39" width="42" height="13"/>
+    <polyline class="cls-9" points="245 121 262 121 280 57 298 121 335 121"/>
+    <circle class="cls-10" cx="244" cy="87" r="6"/>
+    <circle class="cls-11" cx="280" cy="58" r="6"/>
+    <circle class="cls-10" cx="207" cy="40" r="6"/>
+    <circle class="cls-10" cx="172" cy="63" r="6"/>
+    <line class="cls-2" x1="148" y1="121" x2="240" y2="121"/>
+    <line class="cls-9" x1="260" y1="121" x2="317" y2="121"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-add-domain-2.svg b/bcs/images/bcs-partner-advanced-management-add-domain-2.svg
new file mode 100644
index 0000000000..2fab39dd10
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-add-domain-2.svg
@@ -0,0 +1,75 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+      }
+
+      .cls-10, .cls-2, .cls-4, .cls-9 {
+        fill: #fff;
+      }
+
+      .cls-2 {
+        stroke: #bad80a;
+      }
+
+      .cls-10, .cls-2, .cls-3, .cls-6, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3, .cls-6, .cls-7 {
+        fill: none;
+      }
+
+      .cls-3, .cls-6, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-3 {
+        stroke-dasharray: 3 3;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-8 {
+        fill: #556a8a;
+      }
+
+      .cls-10 {
+        stroke: #7750a3;
+      }
+
+      .cls-11 {
+        fill: #008272;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-add-domain-</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M275.1,62.53C272.35,41.87,256,26,236.15,26c-19.39,0-35.49,15.19-38.75,35.19a25.49,25.49,0,0,0-17.16-6.74c-12.39,0-22.79,9.12-25.86,21.5a21.69,21.69,0,0,0-5.56-.75c-12.94,0-23.43,11.37-23.43,25.4S135.87,126,148.81,126H280.57C293.94,123.06,304,109.61,304,94.25,304,76.86,291.1,62.76,275.1,62.53Z"/>
+    <path class="cls-2" d="M157.6,42.44v-.5a20,20,0,0,0-.65-5,18,18,0,0,0-29.54-12.77C123,18.71,117.46,16,110,16,96.85,16,86.92,27.46,86.7,40.39c0,.89.22,1.56.22,2.45C80,46.18,76,52,76,59.34c0,10.52,8.27,18.94,19.23,19.56C96.24,86.2,102.79,93,114,93c9.46,0,15.1.76,22-7a23.25,23.25,0,0,0,11,3c13.25,0,24-11.75,24-25A24,24,0,0,0,157.6,42.44Z"/>
+    <line class="cls-3" x1="219" y1="44" x2="263" y2="29"/>
+    <line class="cls-3" x1="219" y1="96" x2="263" y2="111"/>
+    <g>
+      <g>
+        <circle class="cls-4" cx="184.79" cy="70" r="49.64"/>
+        <path class="cls-5" d="M184.36,120c-27,0-49.14-21.51-49.35-47.94V70.63h98.72v1.43C233.5,98.49,211.36,120,184.36,120Z"/>
+        <circle class="cls-6" cx="184.79" cy="70" r="49.64"/>
+        <ellipse class="cls-6" cx="184.79" cy="70" rx="21.84" ry="49.64"/>
+        <line class="cls-6" x1="135" y1="71" x2="235" y2="71"/>
+        <rect class="cls-7" x="135.72" y="20.36" width="99.28" height="99.28"/>
+      </g>
+      <path class="cls-6" d="M226.18,41.78c-9.36,4.12-24.25,6.78-41,6.78s-31.67-2.66-41-6.78"/>
+      <path class="cls-6" d="M226.18,98.56c-9.36-4.12-24.25-6.78-41-6.78s-31.67,2.66-41,6.78"/>
+    </g>
+    <path class="cls-8" d="M116.32,61.92a11.79,11.79,0,0,1-.45-1.88,13.67,13.67,0,0,1-.2-2.3,7.14,7.14,0,0,1,.71-3.21,13.29,13.29,0,0,1,1.77-2.69,26.79,26.79,0,0,1,2.31-2.41q1.25-1.16,2.31-2.34a13.35,13.35,0,0,0,1.77-2.48,5.83,5.83,0,0,0,.71-2.85,5.23,5.23,0,0,0-.51-2.37,5,5,0,0,0-1.41-1.73,6.19,6.19,0,0,0-2.06-1,8.64,8.64,0,0,0-2.48-.35,10.79,10.79,0,0,0-8.15,3.7v-4.9a16.37,16.37,0,0,1,8.82-2.67,13.86,13.86,0,0,1,4,.56,9.81,9.81,0,0,1,3.27,1.66,7.8,7.8,0,0,1,2.21,2.74,8.54,8.54,0,0,1,.81,3.81,8.9,8.9,0,0,1-.72,3.67,13.32,13.32,0,0,1-1.82,3,23.56,23.56,0,0,1-2.38,2.52q-1.28,1.17-2.38,2.32a12.74,12.74,0,0,0-1.82,2.41,5.41,5.41,0,0,0-.72,2.76,8.24,8.24,0,0,0,.31,2.32,16.57,16.57,0,0,0,.61,1.77Zm2.5,11.58a3.07,3.07,0,0,1-2.17-.89,2.91,2.91,0,0,1-.92-2.17,2.85,2.85,0,0,1,.92-2.17,3,3,0,0,1,4.34,0,2.86,2.86,0,0,1,.92,2.17,2.91,2.91,0,0,1-.92,2.17A3.08,3.08,0,0,1,118.83,73.5Z"/>
+    <rect class="cls-9" x="285" y="54" width="28" height="28"/>
+    <rect class="cls-10" x="255" y="18" width="28" height="28"/>
+    <rect class="cls-10" x="255" y="90" width="28" height="28"/>
+    <line class="cls-3" x1="238" y1="70" x2="282" y2="70"/>
+    <polygon class="cls-11" points="308 66 301 66 301 59 297 59 297 66 290 66 290 70 297 70 297 77 301 77 301 70 308 70 308 66"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-add-user-1.svg b/bcs/images/bcs-partner-advanced-management-add-user-1.svg
new file mode 100644
index 0000000000..30bebd62f4
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-add-user-1.svg
@@ -0,0 +1,69 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-2 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #bad80a;
+      }
+
+      .cls-1, .cls-2, .cls-3, .cls-4 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-1, .cls-6, .cls-7 {
+        fill-rule: evenodd;
+      }
+
+      .cls-2, .cls-4 {
+        stroke: #556a8a;
+      }
+
+      .cls-3 {
+        fill: none;
+        stroke: #a7a9ac;
+      }
+
+      .cls-4 {
+        fill: #80def9;
+      }
+
+      .cls-5 {
+        fill: #00b294;
+      }
+
+      .cls-6 {
+        fill: #00bcf2;
+      }
+
+      .cls-7 {
+        fill: #9273b6;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-add-user-1</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M288,58.5A39.49,39.49,0,1,1,248.5,19,39.3,39.3,0,0,1,288,58.5Z"/>
+    <rect class="cls-2" x="130" y="30" width="117" height="73"/>
+    <rect class="cls-2" x="138" y="38" width="117" height="73"/>
+    <rect class="cls-2" x="146" y="46" width="117" height="73"/>
+    <line class="cls-3" x1="213" y1="71" x2="251" y2="71"/>
+    <line class="cls-3" x1="213" y1="79" x2="251" y2="79"/>
+    <line class="cls-3" x1="213" y1="87" x2="251" y2="87"/>
+    <g>
+      <circle class="cls-4" cx="182.5" cy="71" r="15"/>
+      <path class="cls-4" d="M159,110a23.51,23.51,0,1,1,47,0"/>
+    </g>
+    <circle class="cls-2" cx="133" cy="46" r="24"/>
+    <polygon class="cls-5" points="150 42 136 42 136 28 129 28 129 42 115 42 115 49 129 49 129 63 136 63 136 49 150 49 150 42"/>
+    <g>
+      <path class="cls-6" d="M112,73a12,12,0,1,1-12-12A11.94,11.94,0,0,1,112,73Z"/>
+      <path class="cls-6" d="M300,80a12,12,0,1,1-12-12A11.94,11.94,0,0,1,300,80Z"/>
+      <path class="cls-7" d="M281,102a6,6,0,1,1-6-6A6,6,0,0,1,281,102Z"/>
+      <path class="cls-7" d="M92,44a6,6,0,1,1-6-6A6,6,0,0,1,92,44Z"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-auto-pilot-3.svg b/bcs/images/bcs-partner-advanced-management-auto-pilot-3.svg
new file mode 100644
index 0000000000..bd992b7c7f
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-auto-pilot-3.svg
@@ -0,0 +1,88 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #556a8a;
+      }
+
+      .cls-2 {
+        fill: #adbdca;
+      }
+
+      .cls-3, .cls-6 {
+        fill: #fff;
+      }
+
+      .cls-10, .cls-4 {
+        fill: #e5e5e5;
+      }
+
+      .cls-12, .cls-5 {
+        fill: none;
+      }
+
+      .cls-10, .cls-5, .cls-6 {
+        stroke: #556a8a;
+      }
+
+      .cls-10, .cls-12, .cls-5, .cls-6 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-7 {
+        fill: #0078d7;
+      }
+
+      .cls-8 {
+        fill: #ffb900;
+      }
+
+      .cls-9 {
+        fill: #ffc52b;
+      }
+
+      .cls-11 {
+        fill: #2bc7f4;
+      }
+
+      .cls-12 {
+        stroke: #fff;
+        fill-rule: evenodd;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-auto-pilot-3</title>
+  <g id="ICONS">
+    <g>
+      <polygon class="cls-1" points="257.5 129 140.5 129 147.82 121 250.65 121 257.5 129"/>
+      <polygon class="cls-2" points="246.5 127 151.5 127 154.84 123 243.26 123 246.5 127"/>
+      <polygon class="cls-1" points="224.5 110 172.5 110 166.5 115 230.5 115 224.5 110"/>
+      <polygon class="cls-1" points="202 114 195 114 196.4 100 200.6 100 202 114"/>
+      <rect class="cls-3" x="123.5" y="20" width="151" height="82" rx="4" ry="4"/>
+      <path class="cls-4" d="M274,24V36H123V24a4,4,0,0,1,4-4H270A4,4,0,0,1,274,24Z"/>
+      <rect class="cls-5" x="123" y="20" width="151" height="82" rx="4" ry="4" transform="translate(397 122) rotate(180)"/>
+    </g>
+    <g>
+      <rect class="cls-6" x="100" y="51" width="36" height="68" rx="4" ry="4"/>
+      <rect class="cls-4" x="103" y="60" width="30" height="49"/>
+      <path class="cls-1" d="M122.19,57h-8.38a1,1,0,0,1,0-2h8.38a1,1,0,0,1,0,2Z"/>
+      <circle class="cls-1" cx="106.5" cy="113.5" r="1.5"/>
+      <circle class="cls-1" cx="130.5" cy="113.5" r="1.5"/>
+      <rect class="cls-1" x="113" y="113" width="10" height="2" rx="1" ry="1"/>
+    </g>
+    <g>
+      <polygon class="cls-7" points="117 82 117 74.47 108 75.55 108 82 117 82"/>
+      <polygon class="cls-7" points="118 82 128 82 128 72.94 118 74.35 118 82"/>
+      <polygon class="cls-7" points="118 83 118 91.43 128 92.91 128 83 118 83"/>
+      <polygon class="cls-7" points="117 83 108 83 108 90.14 117 91.3 117 83"/>
+    </g>
+    <g>
+      <path class="cls-8" d="M278.2,39l15.4-26h-19l-25,38h17.6L251,80.65l11.65-10.31L298,39Z"/>
+      <path class="cls-9" d="M298,39H278.2l15.4-26h-13l-25,38h17.6L262.62,70.34Z"/>
+    </g>
+    <path class="cls-10" d="M171.11,66.47l4.47.67a17.31,17.31,0,0,0,.46,3l-3.69,2.38a1.17,1.17,0,0,0-.66,1.59l1.11,2.73a1,1,0,0,0,1.43.49l4.49-.94,1.42,2.42-2.58,3.5a1.19,1.19,0,0,0,0,1.6l2.22,2.26a1.44,1.44,0,0,0,1.6,0l3.53-2.53c.8.48,1.76,1.12,2.55,1.61l-1,4.47a1.1,1.1,0,0,0,.62,1.29l2.72,1.13a1,1,0,0,0,1.45-.46l2.43-4a9.35,9.35,0,0,0,2.87.67l.61,4.48A1.1,1.1,0,0,0,198.28,94l3-.15c.48.16,1-.32,1.12-.79l.84-4.64a9.64,9.64,0,0,0,2.88-.61l2.38,4a1.59,1.59,0,0,0,1.43.49L212.86,91a1.09,1.09,0,0,0,.65-1.27l-1.1-4.34A5.66,5.66,0,0,0,213,85c.13-.09.27-.19.4-.3.47-.35.94-.74,1.4-1l3.66,2.74a1,1,0,0,0,1.44-.15L221.27,85l.75-.75,0,0a1,1,0,0,0,.14-1.41l-2.69-3.7a13.13,13.13,0,0,0,1.78-2.71l4.46,1.3a1.42,1.42,0,0,0,1.46-.78l1.13-2.72a1.39,1.39,0,0,0-.62-1.6l-3.83-2.27c.33-1,.33-1.92.66-2.87l4.48-.61a1.42,1.42,0,0,0,1-1.28V62.67a1.36,1.36,0,0,0-.93-1.29l-4.65-.51a18.27,18.27,0,0,0-.61-3.21l4-2.37a1,1,0,0,0,.5-1.44l-1.11-2.72a1.49,1.49,0,0,0-1.43-.81l-4.5,1.25c-.47-.8-.94-1.61-1.42-2.41l2.75-3.66a1.48,1.48,0,0,0-.16-1.44l-2.22-2.26a1.2,1.2,0,0,0-1.43-.17l-3.7,2.71c-.8-.5-1.75-1.14-2.55-1.62l1-4.48a1.07,1.07,0,0,0-.62-1.28L210,35.66a1.38,1.38,0,0,0-1.45.47L206.33,40c-1,0-1.92-.33-2.88-.35L203,35a1.4,1.4,0,0,0-1.28-1l-3-.18a1.87,1.87,0,0,0-1.12,1.1l-.68,4.49c-1.12.15-2.08.47-3.2.61l-2.21-3.85A1.11,1.11,0,0,0,190,35.7l-2.72,1.11a1.3,1.3,0,0,0-.82,1.43l1.1,4.33a10.34,10.34,0,0,0-2.41,1.75l-3.67-2.75a1.07,1.07,0,0,0-1.61,0L178,43.47l-.17.16a1.09,1.09,0,0,0,0,1.6l2.69,3.7a7.16,7.16,0,0,0-1.37,1.85L179,51c-.1.2-.2.41-.29.63l-4.47-1.3A1.09,1.09,0,0,0,173,51l-1.3,2.88a1.63,1.63,0,0,0,.47,1.45l4,2.42a7.93,7.93,0,0,0-.51,2.72l-4.65.76c-.47.17-1,.64-1,1l0,3.2A1.08,1.08,0,0,0,171.11,66.47Z"/>
+    <path class="cls-11" d="M186.16,58.14A15,15,0,1,1,185,64,14.82,14.82,0,0,1,186.16,58.14Z"/>
+    <polyline class="cls-12" points="189.24 64.1 196.99 71.85 211.24 57.6"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-faq-2.svg b/bcs/images/bcs-partner-advanced-management-faq-2.svg
new file mode 100644
index 0000000000..a89de48058
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-faq-2.svg
@@ -0,0 +1,88 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-2 {
+        fill: #fff;
+      }
+
+      .cls-1, .cls-4 {
+        stroke: #556a8a;
+        stroke-linecap: round;
+        stroke-linejoin: round;
+      }
+
+      .cls-1, .cls-10, .cls-4, .cls-6, .cls-7 {
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: #556a8a;
+      }
+
+      .cls-10, .cls-4, .cls-6 {
+        fill: none;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6 {
+        stroke: #bcbec0;
+      }
+
+      .cls-10, .cls-6, .cls-7 {
+        stroke-miterlimit: 10;
+      }
+
+      .cls-7 {
+        fill: #2bc7f4;
+        stroke: #00bcf2;
+      }
+
+      .cls-8 {
+        fill: #d1e55c;
+      }
+
+      .cls-9 {
+        fill: #ddec85;
+      }
+
+      .cls-10 {
+        stroke: #bad80a;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-faq-2</title>
+  <g>
+    <g>
+      <rect class="cls-1" x="126" y="26" width="124" height="97"/>
+      <path class="cls-2" d="M188,121a13.75,13.75,0,0,0-9-4H137V20h43c7,0,8,10,8,10s1-10,8-10h43v97H197a13.75,13.75,0,0,0-9,4"/>
+      <rect class="cls-3" x="187" y="27" width="2" height="93.32"/>
+      <path class="cls-4" d="M188,121a13.75,13.75,0,0,0-9-4H137V20h43c7,0,8,10,8,10s1-10,8-10h43v97H197a13.75,13.75,0,0,0-9,4"/>
+      <rect class="cls-5" x="138" y="21" width="15" height="95"/>
+    </g>
+    <rect class="cls-5" x="223" y="21" width="15" height="95"/>
+  </g>
+  <g>
+    <line class="cls-6" x1="158" y1="38" x2="180" y2="38"/>
+    <line class="cls-6" x1="158" y1="53" x2="180" y2="53"/>
+    <line class="cls-6" x1="158" y1="68" x2="180" y2="68"/>
+    <line class="cls-6" x1="158" y1="83" x2="180" y2="83"/>
+    <line class="cls-6" x1="158" y1="99" x2="180" y2="99"/>
+  </g>
+  <circle class="cls-7" cx="250.88" cy="67" r="33"/>
+  <path class="cls-2" d="M248.77,75.8a12.58,12.58,0,0,1-.46-1.94,14.23,14.23,0,0,1-.2-2.38,7.4,7.4,0,0,1,.73-3.33,13.76,13.76,0,0,1,1.83-2.78,27.64,27.64,0,0,1,2.39-2.49q1.3-1.2,2.39-2.42a13.8,13.8,0,0,0,1.83-2.56,6,6,0,0,0,.73-3,5.4,5.4,0,0,0-.53-2.45A5.17,5.17,0,0,0,256,50.71a6.39,6.39,0,0,0-2.13-1.08,9,9,0,0,0-2.56-.36,11.18,11.18,0,0,0-8.44,3.83V48A17,17,0,0,1,252,45.26a14.35,14.35,0,0,1,4.12.58,10.16,10.16,0,0,1,3.39,1.71,8.07,8.07,0,0,1,2.29,2.84,8.85,8.85,0,0,1,.84,3.95,9.2,9.2,0,0,1-.75,3.8A13.7,13.7,0,0,1,260,61.21a24.4,24.4,0,0,1-2.46,2.61q-1.33,1.21-2.46,2.41a13.13,13.13,0,0,0-1.89,2.49,5.59,5.59,0,0,0-.75,2.85,8.51,8.51,0,0,0,.32,2.41,17.19,17.19,0,0,0,.63,1.83Zm2.59,12a3.19,3.19,0,0,1-2.25-.92,3,3,0,0,1-1-2.25,3,3,0,0,1,1-2.25,3.13,3.13,0,0,1,4.49,0,3,3,0,0,1,1,2.25,3,3,0,0,1-1,2.25A3.19,3.19,0,0,1,251.37,87.79Z"/>
+  <g>
+    <circle class="cls-1" cx="286" cy="87.27" r="17"/>
+    <path class="cls-3" d="M284.58,91.83a5.88,5.88,0,0,1-.22-.92,6.7,6.7,0,0,1-.1-1.13,3.51,3.51,0,0,1,.35-1.58,6.51,6.51,0,0,1,.87-1.32,13,13,0,0,1,1.13-1.18q.62-.57,1.13-1.15a6.6,6.6,0,0,0,.87-1.22,2.87,2.87,0,0,0,.35-1.4,2.56,2.56,0,0,0-.25-1.16,2.46,2.46,0,0,0-.69-.85,3,3,0,0,0-1-.51,4.24,4.24,0,0,0-1.22-.17,5.3,5.3,0,0,0-4,1.82V78.65a8,8,0,0,1,4.33-1.31,6.8,6.8,0,0,1,2,.27,4.81,4.81,0,0,1,1.61.81,3.84,3.84,0,0,1,1.09,1.35,4.21,4.21,0,0,1,.4,1.87,4.38,4.38,0,0,1-.36,1.8,6.53,6.53,0,0,1-.9,1.46,11.58,11.58,0,0,1-1.17,1.24q-.63.57-1.17,1.14a6.22,6.22,0,0,0-.9,1.18,2.65,2.65,0,0,0-.36,1.35,4,4,0,0,0,.15,1.14,8,8,0,0,0,.3.87Zm1.23,5.69a1.51,1.51,0,0,1-1.07-.44,1.43,1.43,0,0,1-.45-1.07,1.4,1.4,0,0,1,.45-1.07,1.49,1.49,0,0,1,2.13,0,1.4,1.4,0,0,1,.45,1.07,1.43,1.43,0,0,1-.45,1.07A1.51,1.51,0,0,1,285.81,97.51Z"/>
+  </g>
+  <g>
+    <path class="cls-8" d="M130.93,81.12H93.44c-2.78,0-4.44-2.41-4.44-5V39.22c0-2.6,1.7-4.22,4.44-4.22h51c2.73,0,5.55,1.58,5.55,4.22v36.9c0,2.61-2.8,5-5.55,5H141V92Z"/>
+    <g>
+      <path class="cls-9" d="M89,38.94V71l36-36H92.94A3.61,3.61,0,0,0,89,38.94Z"/>
+      <path class="cls-10" d="M130.93,81.12H93.44c-2.78,0-4.44-2.41-4.44-5V39.22c0-2.6,1.7-4.22,4.44-4.22h51c2.73,0,5.55,1.58,5.55,4.22v36.9c0,2.61-2.8,5-5.55,5H141V92Z"/>
+    </g>
+    <path class="cls-3" d="M116.2,64.45a9.18,9.18,0,0,1-.34-1.45,10.6,10.6,0,0,1-.15-1.77,5.52,5.52,0,0,1,.55-2.48,10.25,10.25,0,0,1,1.36-2.07,20.67,20.67,0,0,1,1.78-1.86q1-.89,1.78-1.8a10.31,10.31,0,0,0,1.36-1.91,4.5,4.5,0,0,0,.55-2.2,4,4,0,0,0-.4-1.83,3.87,3.87,0,0,0-1.08-1.33,4.77,4.77,0,0,0-1.59-.81,6.68,6.68,0,0,0-1.91-.27,8.33,8.33,0,0,0-6.29,2.86V43.74a12.64,12.64,0,0,1,6.81-2.06,10.71,10.71,0,0,1,3.07.43,7.58,7.58,0,0,1,2.52,1.28,6,6,0,0,1,1.71,2.12,6.6,6.6,0,0,1,.62,2.94,6.87,6.87,0,0,1-.56,2.84,10.26,10.26,0,0,1-1.41,2.29,18.26,18.26,0,0,1-1.84,1.94q-1,.9-1.84,1.79a9.82,9.82,0,0,0-1.41,1.86,4.17,4.17,0,0,0-.56,2.13,6.34,6.34,0,0,0,.24,1.79,12.57,12.57,0,0,0,.47,1.36Zm1.93,8.94a2.37,2.37,0,0,1-1.68-.69,2.24,2.24,0,0,1-.71-1.68,2.2,2.2,0,0,1,.71-1.68,2.33,2.33,0,0,1,3.35,0,2.2,2.2,0,0,1,.71,1.68,2.24,2.24,0,0,1-.71,1.68A2.38,2.38,0,0,1,118.13,73.39Z"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-find-partner-1.svg b/bcs/images/bcs-partner-advanced-management-find-partner-1.svg
new file mode 100644
index 0000000000..ffae69af7c
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-find-partner-1.svg
@@ -0,0 +1,105 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #bad80a;
+      }
+
+      .cls-2 {
+        fill: #d1e55c;
+      }
+
+      .cls-3 {
+        fill: #556a8a;
+      }
+
+      .cls-4 {
+        fill: #d1d3d4;
+      }
+
+      .cls-5 {
+        fill: #2bc7f4;
+      }
+
+      .cls-6 {
+        fill: #aae9fb;
+      }
+
+      .cls-7, .cls-9 {
+        fill: none;
+        stroke-linecap: round;
+      }
+
+      .cls-7 {
+        stroke: #fff;
+        stroke-linejoin: round;
+        stroke-width: 0.06px;
+      }
+
+      .cls-8 {
+        fill: #414042;
+      }
+
+      .cls-11, .cls-12, .cls-9 {
+        stroke: #556a8a;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-10 {
+        fill: #008272;
+      }
+
+      .cls-11 {
+        fill: #55a5e4;
+      }
+
+      .cls-12 {
+        fill: #55d2f6;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-fid-oartner-1</title>
+  <polygon class="cls-1" points="81.17 114.79 97.37 67 116 114.79 81.17 114.79"/>
+  <polygon class="cls-2" points="121 113.36 131.63 82 143.85 113.36 121 113.36"/>
+  <path class="cls-1" d="M295.6,130c-12.66-10.93-56.88-22-109.5-22S89.26,119.07,76.6,130Z"/>
+  <g>
+    <polygon class="cls-3" points="140.72 57.6 137.38 58.66 137.38 58.67 134.63 59.54 130.25 60.94 128.41 55.09 132.54 53.73 135.59 52.72 138.78 51.66 140.72 57.6"/>
+    <polygon class="cls-4" points="134.75 54.64 134.75 55.31 129.16 57.43 128.78 56.27 134.56 54.34 134.75 54.64"/>
+    <polygon class="cls-5" points="138.41 58.34 138.4 58.35 135.66 59.22 133.57 53.41 136.61 52.4 138.41 58.34"/>
+    <polygon class="cls-3" points="168.53 52.77 137.78 60.48 136 54.86 135.45 53.11 134.75 50.92 164.13 38.95 168.53 52.77"/>
+    <path class="cls-6" d="M262.57,41v-.58a23.41,23.41,0,0,0-.76-5.81,21.05,21.05,0,0,0-34.6-15C222.09,13.2,215.57,10,206.82,10c-15.41,0-27,13.44-27.29,28.59,0,1,.26,1.83.26,2.87C171.7,45.38,167,52.17,167,60.79c0,12.32,9.69,22.19,22.53,22.91,1.18,8.55,8.85,16.49,22,16.49,11.08,0,17.69.9,25.77-8.2a27.23,27.23,0,0,0,12.88,3.51c15.53,0,28.11-13.76,28.11-29.28A28.11,28.11,0,0,0,262.57,41Z"/>
+    <polygon class="cls-3" points="212.41 43.87 212.4 43.87 209.27 44.66 159.66 57.06 159.37 57.13 156.64 57.82 151.54 41.83 154.53 40.62 154.55 40.61 201.93 21.41 204.87 20.22 204.89 20.21 212.41 43.87"/>
+    <polygon class="cls-4" points="155.03 48.02 136 54.86 135.45 53.11 154.48 46.35 155.03 48.02"/>
+    <polygon class="cls-3" points="218.93 43.68 212.87 45.63 204.24 18.53 210.3 16.59 218.93 43.68 218.93 43.68"/>
+    <polygon class="cls-7" points="218.93 43.68 212.87 45.63 204.24 18.53 210.3 16.59 218.93 43.68 218.93 43.68"/>
+    <polygon class="cls-4" points="204.66 25.92 155.41 43.49 155.59 44.14 156.14 45.91 205.85 28.54 204.66 25.92"/>
+    <polygon class="cls-4" points="213.47 26.57 207.5 28.82 206.18 29.32 204.88 25.42 206.26 24.92 212.25 22.76 213.47 26.57"/>
+  </g>
+  <polygon class="cls-5" points="159.37 57.13 156.64 57.82 151.54 41.83 154.53 40.62 159.37 57.13"/>
+  <polygon class="cls-5" points="212.5 43.96 209.37 44.75 202.03 21.5 204.97 20.31 212.5 43.96"/>
+  <g>
+    <path class="cls-8" d="M175.58,118.7v0S175.61,118.73,175.58,118.7Z"/>
+    <path class="cls-3" d="M177,54.81v39h3v-39a4.08,4.08,0,0,0,3-4.08,4.33,4.33,0,0,0-4.35-4.45,4.45,4.45,0,0,0-4.43,4.45C174.27,52.59,176,54.26,177,54.81Z"/>
+    <path class="cls-3" d="M189.94,124.25l-5.87-16.15c.55-.19.44-.19.44-.19-4.41-12-4.51-12-4.51-12V91h-3v4.95c-4,12-4.18,12-4.18,12a3.87,3.87,0,0,0,.62.19c-5.87,16.15-5.84,16.15-5.84,16.15a1,1,0,0,0,.57,1.21,1,1,0,0,0,1.2-.56c5.87-16.15,5.88-16.15,5.88-16.15a1.37,1.37,0,0,1,.33.16,38.14,38.14,0,0,0,1.42-4.29V124c0,.46,0,2,1.5,2s1.5-1.54,1.5-2V110h0v-5.42c2,4.36,1.76,4.36,1.76,4.36a2.93,2.93,0,0,1,.51-.19c5.87,16.15,5.9,16.15,5.9,16.15a.94.94,0,0,0,1.77-.65Z"/>
+  </g>
+  <g>
+    <polyline class="cls-9" points="232 63.95 232 77 254.05 77"/>
+    <polygon class="cls-3" points="224.64 69.92 225.96 71.14 232 64.64 238.04 71.14 239.36 69.92 232 62 224.64 69.92"/>
+    <polygon class="cls-3" points="248.08 84.36 246.86 83.04 253.36 77 246.86 70.96 248.08 69.64 256 77 248.08 84.36"/>
+  </g>
+  <g>
+    <polyline class="cls-9" points="280 37.05 280 24 257.95 24"/>
+    <polygon class="cls-3" points="287.36 31.08 286.04 29.86 280 36.36 273.96 29.86 272.64 31.08 280 39 287.36 31.08"/>
+    <polygon class="cls-3" points="263.92 16.64 265.14 17.96 258.64 24 265.14 30.04 263.92 31.36 256 24 263.92 16.64"/>
+  </g>
+  <polygon class="cls-10" points="97 125.79 113.2 78 131.83 125.79 97 125.79"/>
+  <g>
+    <circle class="cls-11" cx="241" cy="31" r="10"/>
+    <path class="cls-11" d="M226.77,55.17c0-7.73,6.54-14,14.61-14S256,47.44,256,55.17"/>
+  </g>
+  <g>
+    <circle class="cls-12" cx="272" cy="66" r="10"/>
+    <path class="cls-12" d="M257.77,91c0-7.73,6.54-14,14.61-14S287,83.27,287,91"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-find-partner-2.svg b/bcs/images/bcs-partner-advanced-management-find-partner-2.svg
new file mode 100644
index 0000000000..221c47548e
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-find-partner-2.svg
@@ -0,0 +1,73 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-3, .cls-5, .cls-6 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #00bcf2;
+      }
+
+      .cls-1, .cls-10, .cls-3, .cls-8, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        fill: #55d2f6;
+      }
+
+      .cls-3 {
+        stroke: #bad80a;
+      }
+
+      .cls-4 {
+        fill: #556a8a;
+      }
+
+      .cls-5 {
+        opacity: 0.12;
+      }
+
+      .cls-7 {
+        fill: #aae9fb;
+      }
+
+      .cls-10, .cls-8 {
+        fill: none;
+      }
+
+      .cls-10, .cls-8, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-9 {
+        fill: #e5e5e5;
+      }
+
+      .cls-10 {
+        stroke-dasharray: 3 3;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-find-partner-2</title>
+  <path class="cls-1" d="M116,61.69a39.37,39.37,0,0,1,77.71-1.23,26.79,26.79,0,0,1,43,13.62c1.79-.44,3.07,3.92,5,3.92,12.94,0,21,5.88,21,18.81,0,16.19-17.06,23.43-30,23.43H110.55C97.19,117.52,87.12,105.12,87.12,91A29.27,29.27,0,0,1,116,61.69Z"/>
+  <path class="cls-2" d="M156.16,87.43A14.65,14.65,0,0,0,153.52,83a20.36,20.36,0,0,0-5.6-5v-.49a16.44,16.44,0,0,0-16.42-16.21,16.14,16.14,0,0,0-8.71,2.43,22,22,0,0,0-17.63-8.92A21.63,21.63,0,0,0,83.47,76.16c0,.81.2,1.42.2,2.23-6.28,3-9.93,8.31-9.93,15,0,9.56,7.52,17.22,17.49,17.78.92,6.64,9.28,11.84,19.48,11.84,8.69,0,16-3.78,18.6-9a20.28,20.28,0,0,0,26.86-26.57Z"/>
+  <path class="cls-3" d="M326.67,46.55A11.72,11.72,0,0,0,324.57,43a16.29,16.29,0,0,0-4.48-4v-.39a13.15,13.15,0,0,0-13.13-13,12.91,12.91,0,0,0-7,1.95,17.58,17.58,0,0,0-14.11-7.13,17.3,17.3,0,0,0-17.35,17c0,.65.16,1.13.16,1.78-5,2.43-7.94,6.65-7.94,12,0,7.65,6,13.78,14,14.22.73,5.31,7.43,9.47,15.58,9.47,6.95,0,12.83-3,14.88-7.2a16.23,16.23,0,0,0,21.48-21.26Z"/>
+  <g>
+    <path class="cls-4" d="M276.58,106.62l-1.11,1.11-3,3a4,4,0,0,1-5.66,0L222,65.94a4,4,0,0,1,0-5.66l4.11-4.11a4,4,0,0,1,5.66,0L276.58,101A4,4,0,0,1,276.58,106.62Z"/>
+    <path class="cls-5" d="M276.58,106.62l-1.11,1.11a4,4,0,0,1-5.66,0L225,62.94a4,4,0,0,1,0-5.66l1.11-1.11a4,4,0,0,1,5.66,0L276.58,101A4,4,0,0,1,276.58,106.62Z"/>
+    <path class="cls-6" d="M215.86,12a36.17,36.17,0,0,0-36.12,36.13c0,.62,0,1.26.05,1.88a36.12,36.12,0,0,0,72.14,0c0-.62.05-1.26.05-1.9A36.18,36.18,0,0,0,215.86,12Z"/>
+    <path class="cls-7" d="M252.78,48c0,.64,0,1.28-.05,1.9H180.59c0-.62-.05-1.26-.05-1.88a36.12,36.12,0,0,1,72.25,0Z"/>
+    <path class="cls-8" d="M180.14,48.1A36.12,36.12,0,1,0,216.25,12,36.16,36.16,0,0,0,180.14,48.1Z"/>
+  </g>
+  <g>
+    <circle class="cls-9" cx="216.75" cy="37.68" r="11.98"/>
+    <path class="cls-9" d="M198.11,68.3a18.63,18.63,0,1,1,37.27,0"/>
+  </g>
+  <g>
+    <path class="cls-10" d="M89.75,91V54c.05-5.36,4-13,13-13s13,6.85,13,13V78c0,8.55,6.82,15,13,15s12.91-7.89,12.91-17c0-7.82-2.09-18,12.75-18h17.16"/>
+    <polygon class="cls-4" points="164.95 66.18 163.59 64.72 170.81 58 163.59 51.29 164.95 49.82 173.75 58 164.95 66.18"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-intune-1.svg b/bcs/images/bcs-partner-advanced-management-intune-1.svg
new file mode 100644
index 0000000000..ba86b50274
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-intune-1.svg
@@ -0,0 +1,76 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-5 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #bad80a;
+      }
+
+      .cls-1, .cls-3 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        fill: #80def9;
+      }
+
+      .cls-3 {
+        fill: #fcfcfc;
+        stroke: #556a8a;
+      }
+
+      .cls-4 {
+        fill: #556a8a;
+      }
+
+      .cls-6 {
+        fill: #e5e5e5;
+      }
+
+      .cls-7 {
+        fill: #aae9fb;
+      }
+
+      .cls-8 {
+        fill: #999;
+      }
+
+      .cls-9 {
+        fill: #acacac;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-intune-1</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M178,50.13v-.58a23.51,23.51,0,0,0-.76-5.84,21.14,21.14,0,0,0-34.74-15C137.32,22.22,130.77,19,122,19c-15.47,0-27.14,13.5-27.4,28.71,0,1,.26,1.84.26,2.88C86.72,54.53,82,61.34,82,70c0,12.37,9.73,22.28,22.62,23,1.19,8.59,8.88,16.56,22.07,16.56,11.12,0,17.76.9,25.87-8.23a27.34,27.34,0,0,0,12.94,3.53c15.59,0,28.23-13.81,28.23-29.4A28.22,28.22,0,0,0,178,50.13Z"/>
+    <g>
+      <path class="cls-2" d="M299.79,74.62a.06.06,0,0,1-.06-.05,32.53,32.53,0,0,0-64.2-1.07.06.06,0,0,1-.1,0A22.14,22.14,0,0,0,200,84.79a.06.06,0,0,1-.07,0A19.3,19.3,0,0,0,176,104.52C176.48,115,185.51,123,196,123h108.3c11-2.25,19.35-12.49,19.35-24.2A24.19,24.19,0,0,0,299.79,74.62Z"/>
+      <g>
+        <rect class="cls-3" x="152" y="33" width="103" height="76" rx="4" ry="4"/>
+        <path class="cls-4" d="M259.86,114H147.38c-3.77,0-4.38-2-4.38-2H264A4.86,4.86,0,0,1,259.86,114Z"/>
+        <polygon class="cls-4" points="142.9 112 151.7 106 254 106 263.9 112 142.9 112"/>
+        <polygon class="cls-5" points="147 112 152.32 108 253.44 108 259 112 147 112"/>
+        <rect class="cls-6" x="157" y="39" width="93" height="59"/>
+      </g>
+    </g>
+    <g>
+      <rect class="cls-3" x="128" y="60" width="33" height="61" rx="4" ry="4"/>
+      <rect class="cls-7" x="132" y="68" width="25" height="44"/>
+      <path class="cls-8" d="M149.19,66h-8.38a1,1,0,0,1,0-2h8.38a1,1,0,0,1,0,2Z"/>
+      <path class="cls-8" d="M146.68,117h-3.35c-.18,0-.32-.45-.32-1s.15-1,.32-1h3.35c.18,0,.32.45.32,1S146.85,117,146.68,117Z"/>
+    </g>
+    <polygon class="cls-9" points="204.5 104.05 201.2 103.59 201.2 101.42 204.5 100.75 204.5 104.05"/>
+    <g id="Layer_80" data-name="Layer 80">
+      <g>
+        <polygon class="cls-4" points="219.91 80.22 227.25 74.87 219.91 69.53 219.91 80.22"/>
+        <polygon class="cls-4" points="219.91 80.58 227.25 74.87 219.91 69.17 219.91 80.58"/>
+        <path class="cls-4" d="M222,77V73H175V47h42V57h3V46a2.26,2.26,0,0,0-2.23-2H173.58c-1.07,0-2.58.94-2.58,2V74.52A3.11,3.11,0,0,0,173.58,77H191c.07,5,0,6.43-11,6.43V86h31V83.43c-11,0-10.76-1.43-10.69-6.43Z"/>
+        <path class="cls-4" d="M231.32,59H199.88a4.35,4.35,0,0,0-4.21-3,4.46,4.46,0,1,0,0,8.91c1.92,0,3.56-1.87,4.21-2.87H230V89H217V78h-4V91.27A1.85,1.85,0,0,0,214.92,93h16.39A1.64,1.64,0,0,0,233,91.27v-31C233,59.26,232.32,59,231.32,59ZM225,91h-4V90h4Z"/>
+      </g>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-learn-about-1.svg b/bcs/images/bcs-partner-advanced-management-learn-about-1.svg
new file mode 100644
index 0000000000..5237e929eb
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-learn-about-1.svg
@@ -0,0 +1,70 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-2, .cls-6, .cls-9 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #00bcf2;
+      }
+
+      .cls-1, .cls-4, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: #e5e5e5;
+      }
+
+      .cls-4 {
+        fill: none;
+      }
+
+      .cls-4, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-5 {
+        fill: #556a8a;
+      }
+
+      .cls-6 {
+        opacity: 0.16;
+      }
+
+      .cls-7 {
+        fill: #55d2f6;
+      }
+
+      .cls-8 {
+        fill: #2bc7f4;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-learn-about-1</title>
+  <path class="cls-1" d="M163.26,40.11v-.55a22,22,0,0,0-.71-5.46,19.77,19.77,0,0,0-32.5-14C125.24,14,119.11,11,110.9,11,96.43,11,85.52,23.63,85.27,37.85c0,1,.25,1.72.25,2.7-7.6,3.68-12,10.05-12,18.15,0,11.57,9.1,20.84,21.16,21.51,1.11,8,8.31,15.49,20.64,15.49,10.4,0,16.61.84,24.2-7.7a25.57,25.57,0,0,0,12.1,3.3c14.58,0,26.4-12.92,26.4-27.5A26.4,26.4,0,0,0,163.26,40.11Z"/>
+  <path class="cls-2" d="M280,28v76a2,2,0,0,1-2,2H160a2,2,0,0,1-2-2V28a2,2,0,0,1,2-2H278A2,2,0,0,1,280,28Z"/>
+  <path class="cls-3" d="M173,27v79H160a2,2,0,0,1-1-.29V27Z"/>
+  <path class="cls-3" d="M266,27v79h13a2,2,0,0,0,1-.29V27Z"/>
+  <rect class="cls-4" x="158.04" y="26" width="122" height="80" rx="2" ry="2"/>
+  <g>
+    <ellipse class="cls-5" cx="109.5" cy="29.46" rx="10" ry="12.46"/>
+    <path class="cls-5" d="M92.5,101.43V140h11.09c1.54-13.16,3.6-30.57,3.94-32.83.43-2.76,4.7-2.76,5.12,0,.35,2.26,2.74,19.67,4.45,32.83h10.4V99h6l-.33-12.33-.67-25.2,8.42,2.19a4.54,4.54,0,0,0,1.93.25,4.49,4.49,0,0,0,1.48-.38l19-9.45a4.54,4.54,0,1,0-3.75-8.27L143,52.64,127.08,48c-.93-.28-1.91-.57-2.94-.86l0,0c-2.06-.58-4.18-1.16-5.79-1.59l-2.7-.72-6,12.48h-.1l-6-12.48s-5.77,1.3-9.89,2.39L92,47.6A8.84,8.84,0,0,0,86.48,52,11.43,11.43,0,0,0,85.2,56.4c-.61,6.36-.6,20.59-1.12,26.31-.19,2-.2,8.56,2.07,11.48A88.76,88.76,0,0,0,92.5,101.43Z"/>
+    <path class="cls-6" d="M163.36,54.08l-19,9.45a4.49,4.49,0,0,1-1.48.38,4.54,4.54,0,0,1-1.93-.25l-8.42-2.19.67,25.2L133.5,99l-47-47A8.84,8.84,0,0,1,92,47.6l1.63-.44c4.12-1.09,9.89-2.39,9.89-2.39l6,12.48h.1l6-12.48,2.7.72c1.61.43,3.73,1,5.79,1.59l0,0c1,.29,2,.58,2.94.86L143,52.64l16.63-6.83a4.54,4.54,0,1,1,3.75,8.27Z"/>
+  </g>
+  <rect class="cls-5" x="152" y="23" width="135" height="5"/>
+  <g>
+    <path class="cls-2" d="M219.36,121a43.94,43.94,0,1,1,31-12.86,43.62,43.62,0,0,1-31,12.86Z"/>
+    <path class="cls-3" d="M188.19,45.86a43.56,43.56,0,0,1,61.6,61.6Z"/>
+    <path class="cls-5" d="M219.36,35a42.66,42.66,0,1,1-30.14,12.49A42.35,42.35,0,0,1,219.36,35m0-2a44.66,44.66,0,1,0,31.56,13.08A44.49,44.49,0,0,0,219.36,33Z"/>
+    <polygon class="cls-7" points="192.89 51.16 211.21 85.78 245.83 104.11 223.68 71.87 192.89 51.16"/>
+    <polygon class="cls-8" points="192.89 51.16 245.83 104.11 227.51 69.48 192.89 51.16"/>
+    <line class="cls-9" x1="219.72" y1="40.19" x2="219.72" y2="50.27"/>
+    <line class="cls-9" x1="219.72" y1="104.99" x2="219.72" y2="115.07"/>
+    <line class="cls-9" x1="181.92" y1="77" x2="192" y2="77"/>
+    <line class="cls-9" x1="246.72" y1="77" x2="256.8" y2="77"/>
+    <circle class="cls-2" cx="219.36" cy="77.63" r="4.32"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-password-3.svg b/bcs/images/bcs-partner-advanced-management-password-3.svg
new file mode 100644
index 0000000000..f1f91ab410
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-password-3.svg
@@ -0,0 +1,56 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #55d2f6;
+      }
+
+      .cls-2, .cls-4, .cls-7 {
+        fill: #fff;
+      }
+
+      .cls-2 {
+        stroke: #bad80a;
+      }
+
+      .cls-2, .cls-3, .cls-7 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: none;
+      }
+
+      .cls-3, .cls-7 {
+        stroke: #556a8a;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6 {
+        fill: #aae9fb;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-password-3</title>
+  <g id="ICONS">
+    <g>
+      <path class="cls-1" d="M169.26,62.46l-5.21-1a20.86,20.86,0,0,0-.4-3.59l4.44-2.62a1.37,1.37,0,0,0,.84-1.84l-1.17-3.25a1.18,1.18,0,0,0-1.66-.64l-5.3.89-1.56-2.89,3.19-4a1.41,1.41,0,0,0,.08-1.87L160,38.91a1.69,1.69,0,0,0-1.88-.08l-4.27,2.81c-.91-.6-2-1.4-2.91-2l1.37-5.2a1.29,1.29,0,0,0-.68-1.54l-3.13-1.45a1.19,1.19,0,0,0-1.72.48l-3,4.57a10.81,10.81,0,0,0-3.34-.91l-.51-5.28a1.29,1.29,0,0,0-1.25-1.38l-3.57,0c-.56-.21-1.15.33-1.36.88l-1.19,5.4a11.12,11.12,0,0,0-3.41.59L126.53,31a1.9,1.9,0,0,0-1.66-.64l-3.45,1.35a1.27,1.27,0,0,0-.82,1.46l1.08,5.13c-1,.52-1.94,1.41-2.91,1.94l-4.17-3.39a1.22,1.22,0,0,0-1.69.11l-1.64,1.49-.91.84,0,0a1.21,1.21,0,0,0-.24,1.65l3,4.46a15.48,15.48,0,0,0-2.21,3.1l-5.18-1.74a1.67,1.67,0,0,0-1.74.86l-1.46,3.13a1.63,1.63,0,0,0,.67,1.91l4.38,2.83c-.43,1.11-.48,2.24-.91,3.35l-5.28.51a1.65,1.65,0,0,0-1.2,1.45L100,64.21a1.64,1.64,0,0,0,1,1.56l5.42.81a21.72,21.72,0,0,0,.57,3.78L102.22,73a1.19,1.19,0,0,0-.64,1.67l1.17,3.25a1.76,1.76,0,0,0,1.65,1l5.32-1.26,1.56,2.89-3.39,4.17a1.77,1.77,0,0,0,.11,1.7l2.51,2.74a1.42,1.42,0,0,0,1.67.27l4.47-3c.91.61,2,1.41,2.91,2l-1.36,5.21a1.26,1.26,0,0,0,.68,1.53l3.3,1.66a1.62,1.62,0,0,0,1.72-.49l2.83-4.39c1.13.05,2.24.48,3.36.53l.31,5.47a1.64,1.64,0,0,0,1.45,1.19l3.56.35a2.26,2.26,0,0,0,1.37-1.25l1-5.22c1.32-.13,2.46-.46,3.78-.58L144,97a1.29,1.29,0,0,0,1.67.64l3.24-1.17a1.53,1.53,0,0,0,1-1.65l-1.08-5.12a13.15,13.15,0,0,0,2.91-1.94l4.17,3.39a1.26,1.26,0,0,0,1.88.08l2.34-2.14.21-.19a1.33,1.33,0,0,0,.46-1,1.29,1.29,0,0,0-.38-.92l-3-4.47a9.25,9.25,0,0,0,2.21-3.09l5.19,1.74a1.28,1.28,0,0,0,1.53-.68L168,77.26a1.9,1.9,0,0,0-.49-1.72l-4.56-3a9.44,9.44,0,0,0,.71-3.17l5.49-.69c.57-.16,1.16-.7,1.18-1.08l.17-3.75A1.28,1.28,0,0,0,169.26,62.46ZM135,72.47a9,9,0,1,1,9-9A9,9,0,0,1,135,72.47Z"/>
+      <path class="cls-2" d="M260.25,53.36a39.37,39.37,0,0,0-77.71-1.23,26.79,26.79,0,0,0-43,13.62,23.42,23.42,0,1,0-5.56,46.16H265.72c13.37-2.71,23.43-15.12,23.43-29.28A29.27,29.27,0,0,0,260.25,53.36Z"/>
+      <g>
+        <rect class="cls-3" x="196.52" y="36.9" width="39" height="51" rx="12" ry="12"/>
+        <path class="cls-4" d="M248.52,116.17a2.84,2.84,0,0,1-2.84,2.83H187.37a2.84,2.84,0,0,1-2.84-2.83V70.83A2.84,2.84,0,0,1,187.37,68h58.31a2.84,2.84,0,0,1,2.84,2.83Z"/>
+        <path class="cls-5" d="M247.41,71v44.64L199.89,68.16h44.64A2.89,2.89,0,0,1,247.41,71Z"/>
+        <path class="cls-3" d="M247.52,116.17a2.84,2.84,0,0,1-2.84,2.83H186.37a2.84,2.84,0,0,1-2.84-2.83V70.83A2.84,2.84,0,0,1,186.37,68h58.31a2.84,2.84,0,0,1,2.84,2.83Z"/>
+      </g>
+      <g>
+        <path class="cls-6" d="M272.3,86.71a19.17,19.17,0,1,0-6.85,8.93v6.26h6.07v7h8v8h12V105.24Z"/>
+        <path class="cls-3" d="M272.3,86.71a19.17,19.17,0,1,0-6.85,8.93v6.26h6.07v7h8v8h12V105.24Z"/>
+        <circle class="cls-7" cx="249.33" cy="72.99" r="4.05"/>
+      </g>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-resources-6_placeholder.svg b/bcs/images/bcs-partner-advanced-management-resources-6_placeholder.svg
new file mode 100644
index 0000000000..1a4d5ad540
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-resources-6_placeholder.svg
@@ -0,0 +1,37 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-2 {
+        fill: #fff;
+      }
+
+      .cls-1, .cls-4 {
+        stroke: #556a8a;
+        stroke-linecap: round;
+        stroke-linejoin: round;
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: #2bc7f4;
+      }
+
+      .cls-4 {
+        fill: none;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-resources-6</title>
+  <g id="ICONS">
+    <rect class="cls-1" x="130" y="25" width="124" height="97"/>
+    <path class="cls-2" d="M192,120a13.75,13.75,0,0,0-9-4H141V19h43c7,0,8,10,8,10s1-10,8-10h43v97H201a13.75,13.75,0,0,0-9,4"/>
+    <rect class="cls-3" x="191" y="26" width="2" height="93.32"/>
+    <path class="cls-4" d="M192,120a13.75,13.75,0,0,0-9-4H141V19h43c7,0,8,10,8,10s1-10,8-10h43v97H201a13.75,13.75,0,0,0-9,4"/>
+    <rect class="cls-5" x="142" y="20" width="15" height="95"/>
+    <rect class="cls-5" x="227" y="20" width="15" height="95"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-settings-8.svg b/bcs/images/bcs-partner-advanced-management-settings-8.svg
new file mode 100644
index 0000000000..5b556a7ce0
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-settings-8.svg
@@ -0,0 +1,85 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #d1d3d4;
+        opacity: 0.51;
+      }
+
+      .cls-2 {
+        fill: #f1f2f2;
+      }
+
+      .cls-3, .cls-9 {
+        fill: #fff;
+      }
+
+      .cls-4 {
+        fill: #e5e5e5;
+      }
+
+      .cls-10, .cls-5 {
+        fill: none;
+      }
+
+      .cls-5, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-10, .cls-5, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-6 {
+        fill: #2bc7f4;
+      }
+
+      .cls-7 {
+        fill: #556a8a;
+      }
+
+      .cls-8 {
+        fill: #bad80a;
+      }
+
+      .cls-10 {
+        stroke: #00bcf2;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-settings-8</title>
+  <g id="ICONS">
+    <rect class="cls-1" y="53" width="400" height="50"/>
+    <rect class="cls-2" y="60" width="400" height="6"/>
+    <rect class="cls-2" y="89" width="400" height="6"/>
+    <rect class="cls-2" y="74" width="400" height="6"/>
+    <g>
+      <path class="cls-3" d="M185.19,25H117.81A4.89,4.89,0,0,0,113,29.93v82.14a4.89,4.89,0,0,0,4.81,4.93h67.38a4.89,4.89,0,0,0,4.81-4.93V29.93A4.89,4.89,0,0,0,185.19,25Z"/>
+      <path class="cls-4" d="M190,29.29V43H113V29.29A4.2,4.2,0,0,1,117.1,25H185.9A4.2,4.2,0,0,1,190,29.29Z"/>
+      <path class="cls-5" d="M185.19,25H117.81A4.89,4.89,0,0,0,113,29.93v82.14a4.89,4.89,0,0,0,4.81,4.93h67.38a4.89,4.89,0,0,0,4.81-4.93V29.93A4.89,4.89,0,0,0,185.19,25Z"/>
+      <rect class="cls-3" x="127" y="24" width="49" height="12"/>
+      <path class="cls-6" d="M165.36,24a15.26,15.26,0,0,0-1.07-5.69,13.93,13.93,0,0,0-7.38-7.38,14,14,0,0,0-10.75,0,14.35,14.35,0,0,0-4.41,3,14.06,14.06,0,0,0-3,4.41A15.26,15.26,0,0,0,137.71,24h-8.64V34H174V24Zm-13.82-.13a4.5,4.5,0,1,1,4.32-4.5A4.41,4.41,0,0,1,151.54,23.87Z"/>
+      <polyline class="cls-5" points="122.1 60.98 131.6 70.48 153.2 48.88"/>
+      <polyline class="cls-5" points="122.1 88.62 131.6 98.13 153.2 76.53"/>
+      <line class="cls-5" x1="154" y1="63" x2="182" y2="63"/>
+      <line class="cls-5" x1="154" y1="92" x2="182" y2="92"/>
+    </g>
+    <path class="cls-7" d="M220.6,76H201.4a2.39,2.39,0,0,0-2.4,2.36v8.27A2.39,2.39,0,0,0,201.4,89H201V78h20V89h-.4a2.39,2.39,0,0,0,2.4-2.36V78.36A2.39,2.39,0,0,0,220.6,76Z"/>
+    <path class="cls-3" d="M236.36,85H185.64A5.75,5.75,0,0,0,180,90.84v29.43a1.71,1.71,0,0,0,1.7,1.73H240.3a1.63,1.63,0,0,0,.88-.22,1.82,1.82,0,0,0,.81-1.51V90.84A5.75,5.75,0,0,0,236.36,85Z"/>
+    <rect class="cls-4" x="180" y="114" width="62" height="8"/>
+    <path class="cls-5" d="M236.36,85H185.64A5.75,5.75,0,0,0,180,90.84v29.43a1.71,1.71,0,0,0,1.7,1.73H240.3a1.63,1.63,0,0,0,.88-.22,1.82,1.82,0,0,0,.81-1.51V90.84A5.75,5.75,0,0,0,236.36,85Z"/>
+    <rect class="cls-8" x="181" y="101" width="60" height="5"/>
+    <rect class="cls-9" x="192" y="97" width="8" height="13.91" rx="2" ry="2"/>
+    <line class="cls-9" x1="196" y1="100" x2="196" y2="108"/>
+    <rect class="cls-9" x="222" y="97" width="8" height="13.91" rx="2" ry="2"/>
+    <line class="cls-9" x1="226" y1="100" x2="226" y2="108"/>
+    <g>
+      <path class="cls-8" d="M228.75,66.93l.39-3.06c.22-1.15.56-1.57,1.31-1.66l1.61-.75a1.9,1.9,0,0,1,2.1.29l2.34,2.17a1.2,1.2,0,0,0,1.49-.17L239.66,62a1.45,1.45,0,0,0,.2-1.53l-2.15-2.39a1.68,1.68,0,0,1-.06-2,16.77,16.77,0,0,1,.73-1.78c.11-.6.45-1,1.56-1.13l3.18-.19a1.2,1.2,0,0,0,.82-1L244,49.3a1.2,1.2,0,0,0-.87-1l-3.07-.4c-1.32,0-1.63-.55-1.83-1.1-.42-1-1.43-2.36-.24-3.56l2-2.49a1.65,1.65,0,0,0,.19-1.54l-1.95-1.84a1.46,1.46,0,0,0-1.54-.19l-2.39,2.15a2,2,0,0,1-2.24.27c-.42-.31-2.42-1.21-2.54-2.32l-.56-3.14v0a.92.92,0,0,0-.83-1L225.46,33a1.2,1.2,0,0,0-1,.87l-.14,3.2c-.08.76-1.5,1.9-1.5,1.9-2,1.17-3,.74-3.57.22L216.91,37a1.2,1.2,0,0,0-1.49.17l-1.9,1.55a1.35,1.35,0,0,0,0,1.69l2,2.22a3,3,0,0,1,.33,2.23c-.31.41-1.68,2.74-2.5,2.73l-3,.35h-.07a.92.92,0,0,0-1,.88l-.06,2.65a1.49,1.49,0,0,0,1.08,1.19l2.85.23c1.29,0,2.37,2.93,2.37,2.93a1.52,1.52,0,0,1-.16,1.91l-1.93,2.48a1.25,1.25,0,0,0-.19,1.54l1.95,1.84a1.41,1.41,0,0,0,1.29.05l2.6-2a2.1,2.1,0,0,1,2-.42c2.45,1,2.72,1.7,2.69,2.5l.36,3a1.2,1.2,0,0,0,1.09,1.2l2.44-.1a1.2,1.2,0,0,0,1-.87m-8.59-16.51q0-.08,0-.16a6.37,6.37,0,0,1,6.64-6.09A6.29,6.29,0,0,1,233,50.4q0,.3,0,.6a6.12,6.12,0,0,1-6.4,5.82,6.59,6.59,0,0,1-6.42-6.4"/>
+      <path class="cls-3" d="M243.09,77.59l5.51.24a3.06,3.06,0,0,1,3.06,1.66c.64,2.08,1.64,5.13.74,6.12l-2.76,4.2a2,2,0,0,0,.09,2.72L253,95.05c.69.45,1,.55,1.65.07L257,93.25l2.1-1.7c1.84-1.6,8.56,1.43,8.74,2.71l.65,5.33a2,2,0,0,0,2.1,1.4l4-.38a2.44,2.44,0,0,0,1.89-1.76l-.15-5.39a2.8,2.8,0,0,1,2.1-2.65c.93-.57,4.54-2.31,6.1-1.26l4.31,3.2a2,2,0,0,0,2.17-.44L294,89a2,2,0,0,0,0-2.29l-3.5-3.84c-1.68-1.43-1.49-2.46-1.16-3.39.65-3.84,1.82-4.48,3.55-4.83l5.24-1.05A2.76,2.76,0,0,0,300,71.81l-.51-4.46a2.45,2.45,0,0,0-1.75-1.92l-5.41.16a3.29,3.29,0,0,1-3.16-2.08c-.19-.86-2.36-3.59-.74-5.74l2.68-4.63a.07.07,0,0,1,0,0,1.56,1.56,0,0,0,0-2.19l-3-2.63-.37-.32a2,2,0,0,0-2.26,0l-3.67,4c-.92.89-4,.8-4,.8-4.11-.11-4.64-2.29-4.82-3.6l-.61-5.26a2,2,0,0,0-2.1-1.4l-4.11-.07a2.27,2.27,0,0,0-1.83,2.17l.11,5a5,5,0,0,1-2,3.23c-.83.18-1.61.77-2.5,1a3,3,0,0,1-3.67-.16l-4.21-2.8s0-.06-.08-.08a1.56,1.56,0,0,0-2.19.08l-3,3.34a2.46,2.46,0,0,0,.1,2.69l3.39,3.4c1.62,1.44-.13,6.34-.13,6.34a2.54,2.54,0,0,1-2.28,2.26l-5.15,1.11c-1.36.25-2,1.31-1.92,1.76C241,71.66,240.89,77.2,243.09,77.59Zm22.34,3.47a10.17,10.17,0,0,1-2-1.43,10.77,10.77,0,0,1-1.26-14.94l0,0,.19-.19a10.81,10.81,0,0,1,15.11-.65s.08.06.09.09a10.27,10.27,0,0,1,1.07,14.41c-.2.26-.42.51-.64.75A10.41,10.41,0,0,1,265.43,81.05Z"/>
+      <path class="cls-4" d="M243.09,77.59l5.51.24a3.06,3.06,0,0,1,3.06,1.66c.64,2.08,1.64,5.13.74,6.12l-2.76,4.2a2,2,0,0,0,.09,2.72L253,95.05c.69.45,1,.55,1.65.07L257,93.25l8.47-12.2a10.17,10.17,0,0,1-2-1.43,10.77,10.77,0,0,1-1.26-14.94l0,0,.19-.19a10.81,10.81,0,0,1,15.11-.65s.08.06.09.09l10.68-15.63-.37-.32a2,2,0,0,0-2.26,0l-3.67,4c-.92.89-4,.8-4,.8-4.11-.11-4.64-2.29-4.82-3.6l-.61-5.26a2,2,0,0,0-2.1-1.4l-4.11-.07a2.27,2.27,0,0,0-1.83,2.17l.11,5a5,5,0,0,1-2,3.23c-.83.18-1.61.77-2.5,1a3,3,0,0,1-3.67-.16l-4.21-2.8s0-.06-.08-.08a1.56,1.56,0,0,0-2.19.08l-3,3.34a2.46,2.46,0,0,0,.1,2.69l3.39,3.4c1.62,1.44-.13,6.34-.13,6.34a2.54,2.54,0,0,1-2.28,2.26l-5.15,1.11c-1.36.25-2,1.31-1.92,1.76C241,71.66,240.89,77.2,243.09,77.59Z"/>
+      <path class="cls-10" d="M254.61,95.12c-.68.47-1,.39-1.65-.08l-3.24-2.52a2,2,0,0,1-.1-2.72l2.76-4.2c.91-1-.09-4.05-.73-6.12a3,3,0,0,0-3.06-1.66l-5.51-.24c-2.2-.38-2.11-5.94-2.11-5.94-.1-.44.55-1.51,1.91-1.76l5.16-1.09c1.2-.13,4-7.17,2.41-8.62l-3.41-3.39a2.5,2.5,0,0,1-.1-2.7l3-3.33a1.55,1.55,0,0,1,2.19-.09l.08.08,4.21,2.79c1,.89,7.94-2.73,8.16-4l-.11-5a2.27,2.27,0,0,1,1.83-2.18l4.11.07a2,2,0,0,1,2.1,1.39l.61,5.29c.17,1.3.71,3.46,4.82,3.59,0,0,3.06.08,4-.81l3.66-4a2,2,0,0,1,2.27,0l3.33,3a1.55,1.55,0,0,1,0,2.19l0,0-2.69,4.63c-1.62,2.15.54,4.89.75,5.74a3.3,3.3,0,0,0,3.16,2.08l5.4-.16a2.46,2.46,0,0,1,1.76,1.91l.5,4.47a2.78,2.78,0,0,1-1.91,1.76l-5.24,1.06c-1.74.35-2.91,1-3.55,4.83-.34.93-.52,2,1.15,3.4l3.5,3.84A2,2,0,0,1,294,89l-3,3.33a2,2,0,0,1-2.18.44l-4.29-3.2c-1.57-1-8.18,2.66-8.21,3.91l.16,5.4a2.44,2.44,0,0,1-1.91,1.75l-4,.37a2,2,0,0,1-2.1-1.39l-.64-5.32c-.18-1.28-6.9-4.32-8.74-2.71Z"/>
+      <circle class="cls-10" cx="270.42" cy="71.75" r="10.65" transform="translate(-7.56 40.12) rotate(-8.37)"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-technical-support-4.svg b/bcs/images/bcs-partner-advanced-management-technical-support-4.svg
new file mode 100644
index 0000000000..00fe5333f8
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-technical-support-4.svg
@@ -0,0 +1,88 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-3 {
+        fill: #fff;
+      }
+
+      .cls-1, .cls-11, .cls-6 {
+        stroke: #556a8a;
+      }
+
+      .cls-1 {
+        stroke-linecap: round;
+        stroke-linejoin: round;
+      }
+
+      .cls-1, .cls-11, .cls-5 {
+        stroke-width: 2px;
+      }
+
+      .cls-10, .cls-2 {
+        fill: #aae9fb;
+      }
+
+      .cls-4 {
+        fill: #e5e5e5;
+      }
+
+      .cls-11, .cls-5, .cls-6 {
+        fill: none;
+      }
+
+      .cls-5 {
+        stroke: #2bc7f4;
+      }
+
+      .cls-11, .cls-5, .cls-6, .cls-9 {
+        stroke-miterlimit: 10;
+      }
+
+      .cls-6 {
+        stroke-width: 3px;
+      }
+
+      .cls-7 {
+        fill: #556a8a;
+      }
+
+      .cls-8 {
+        fill: #3a96dd;
+      }
+
+      .cls-10, .cls-8, .cls-9 {
+        fill-rule: evenodd;
+      }
+
+      .cls-9 {
+        fill: #80def9;
+        stroke: #aae9fb;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-technical-support-4</title>
+  <path class="cls-1" d="M170.6,47.47V47a20,20,0,0,0-.65-5,18,18,0,0,0-29.54-12.77C136,23.73,130.46,21,123,21c-13.15,0-23.08,11.48-23.3,24.41,0,.89.22,1.56.22,2.45C93,51.21,89,57,89,64.36c0,10.52,8.27,18.94,19.23,19.56,1,7.3,7.55,14.08,18.77,14.08,9.46,0,15.1.76,22-7a23.25,23.25,0,0,0,11,3c13.25,0,24-11.75,24-25A24,24,0,0,0,170.6,47.47Z"/>
+  <path class="cls-2" d="M260,62.7a40,40,0,0,0-79.18-1.27A27,27,0,0,0,163.35,55,27.36,27.36,0,0,0,137,75.46a23.6,23.6,0,0,0-5.67-.71,24.13,24.13,0,0,0,0,48.25H265.59c13.62-2.79,23.87-15.57,23.87-30.16A30,30,0,0,0,260,62.7Z"/>
+  <circle class="cls-3" cx="218.34" cy="70.2" r="43.2"/>
+  <path class="cls-4" d="M262,70.2c0,23.86-19.7,43.2-44,43.2V27C242.3,27,262,46.34,262,70.2Z"/>
+  <circle class="cls-5" cx="218.34" cy="70.2" r="43.2"/>
+  <g>
+    <path class="cls-6" d="M196.41,65.45V63.11a21.11,21.11,0,1,1,42.21,0v2.35"/>
+    <path class="cls-7" d="M229,63.28V82h8.1c2.27-.78,4.86-4,4.86-6.41V63.28Z"/>
+    <path class="cls-7" d="M206,64V82.72h-8.1c-2.27-.78-4.86-4-4.86-6.41V64Z"/>
+    <path class="cls-6" d="M200.32,81.09s-1.56,17.2,12.51,15.63"/>
+    <rect class="cls-7" x="212" y="91" width="16" height="10" rx="3" ry="3"/>
+  </g>
+  <g>
+    <g>
+      <polygon class="cls-8" points="148.23 105.66 168.58 86 159 86 159 37 138 37 138 86 128 86 148.23 105.66 148.23 105.66 148.23 105.66"/>
+      <polygon class="cls-9" points="141.5 87.38 141.5 87.38 141.5 37 141.5 56.38 141.5 87.38 141.5 87.38"/>
+      <polygon class="cls-9" points="148.5 98.14 148.5 98.14 148.5 37 148.5 67.14 148.5 98.14 148.5 98.14"/>
+      <polygon class="cls-9" points="155.5 89.38 155.5 89.38 155.5 37 155.5 56.38 155.5 89.38 155.5 89.38"/>
+      <polygon class="cls-10" points="141.5 90 145 86 138 86 141.5 90"/>
+      <polygon class="cls-10" points="155.5 93 160 87 151 87 155.5 93"/>
+    </g>
+    <polygon class="cls-10" points="148.5 102 153 97 144 97 148.5 102"/>
+  </g>
+  <path class="cls-11" d="M174,94v16a1.9,1.9,0,0,1-1.77,2H123.77a1.9,1.9,0,0,1-1.77-2V94"/>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-troubleshooting-3.svg b/bcs/images/bcs-partner-advanced-management-troubleshooting-3.svg
new file mode 100644
index 0000000000..d70739d1c2
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-troubleshooting-3.svg
@@ -0,0 +1,78 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #556a8a;
+      }
+
+      .cls-2 {
+        fill: #adbdca;
+      }
+
+      .cls-3 {
+        fill: #fff;
+      }
+
+      .cls-4 {
+        fill: #e5e5e5;
+      }
+
+      .cls-5, .cls-9 {
+        fill: none;
+      }
+
+      .cls-5 {
+        stroke: #556a8a;
+      }
+
+      .cls-5, .cls-8 {
+        stroke-miterlimit: 10;
+      }
+
+      .cls-5, .cls-8, .cls-9 {
+        stroke-width: 2px;
+      }
+
+      .cls-6 {
+        fill: #ffb900;
+      }
+
+      .cls-7 {
+        fill: #ffd055;
+      }
+
+      .cls-8 {
+        fill: #2bc7f4;
+        stroke: #00bcf2;
+      }
+
+      .cls-9 {
+        stroke: #fff;
+        stroke-linecap: round;
+        stroke-linejoin: round;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-troubleshooting-3</title>
+  <g>
+    <polygon class="cls-1" points="235.5 128 118.5 128 125.82 120 228.65 120 235.5 128"/>
+    <polygon class="cls-2" points="224.5 126 129.5 126 132.84 122 221.26 122 224.5 126"/>
+    <polygon class="cls-1" points="203 108 151 108 145 115 209 115 203 108"/>
+    <polygon class="cls-1" points="180.5 112.5 173.5 112.5 174.9 98.5 179.1 98.5 180.5 112.5"/>
+    <rect class="cls-3" x="101" y="19" width="151" height="82" rx="4" ry="4"/>
+    <path class="cls-4" d="M252,23V35H101V23a4,4,0,0,1,4-4H248A4,4,0,0,1,252,23Z"/>
+    <rect class="cls-5" x="101" y="19" width="151" height="82" rx="4" ry="4" transform="translate(353 120) rotate(180)"/>
+  </g>
+  <g>
+    <polygon class="cls-6" points="206 88 146 88 176 34 206 88"/>
+    <polygon class="cls-7" points="206 88 176 88 176 34 206 88"/>
+    <polygon class="cls-1" points="175.13 75 178.23 75 179.26 48 174.1 48 175.13 75"/>
+    <circle class="cls-1" cx="176.68" cy="79.6" r="3.5"/>
+  </g>
+  <path class="cls-1" d="M290.48,73.74,257.26,107l-7.78,7.78-5.06,5a4,4,0,0,1-5.66,0l-4.36-4.36a4,4,0,0,1,0-5.66l5.06-5,7.78-7.78,33.22-33.23a4,4,0,0,1,5.66,0l4.36,4.36A4,4,0,0,1,290.48,73.74Z"/>
+  <path class="cls-3" d="M266.43,51.25c0,.66,0,1.31.05,1.95a37,37,0,0,0,74,0c0-.64.05-1.29.05-1.93a37,37,0,0,0-74.07,0Z"/>
+  <path class="cls-4" d="M266.43,51.25c0,.66,0,1.31.05,1.95h74c0-.64.05-1.29.05-1.93a37,37,0,0,0-74.07,0Z"/>
+  <path class="cls-5" d="M303.48,14.23a37,37,0,1,0,37,37A37.08,37.08,0,0,0,303.48,14.23Z"/>
+  <circle class="cls-8" cx="303.3" cy="51.63" r="26.93"/>
+  <polyline class="cls-9" points="284.87 53.05 299.05 67.22 323.85 42.42"/>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-windows10-2.svg b/bcs/images/bcs-partner-advanced-management-windows10-2.svg
new file mode 100644
index 0000000000..dbfef70e2d
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-windows10-2.svg
@@ -0,0 +1,59 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-2, .cls-6 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #00bcf2;
+      }
+
+      .cls-1, .cls-4 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: #e5e5e5;
+      }
+
+      .cls-4 {
+        fill: none;
+        stroke: #556a8a;
+      }
+
+      .cls-5 {
+        fill: #556a8a;
+      }
+
+      .cls-6 {
+        opacity: 0.16;
+      }
+
+      .cls-7 {
+        fill: #0078d7;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-windows10-2</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M175.26,40.11v-.55a22,22,0,0,0-.71-5.46,19.77,19.77,0,0,0-32.5-14C137.24,14,131.11,11,122.9,11c-14.47,0-25.38,12.63-25.63,26.85,0,1,.25,1.72.25,2.7-7.6,3.68-12,10.05-12,18.15,0,11.57,9.1,20.84,21.16,21.51,1.11,8,8.31,15.49,20.64,15.49,10.4,0,16.61.84,24.2-7.7a25.57,25.57,0,0,0,12.1,3.3c14.58,0,26.4-12.92,26.4-27.5A26.4,26.4,0,0,0,175.26,40.11Z"/>
+    <path class="cls-2" d="M295,36v76a2,2,0,0,1-2,2H175a2,2,0,0,1-2-2V36a2,2,0,0,1,2-2H293A2,2,0,0,1,295,36Z"/>
+    <path class="cls-3" d="M188,35v79H175a2,2,0,0,1-1-.29V35Z"/>
+    <path class="cls-3" d="M281,35v79h13a2,2,0,0,0,1-.29V35Z"/>
+    <rect class="cls-4" x="173.04" y="34" width="122" height="80" rx="2" ry="2"/>
+    <g>
+      <ellipse class="cls-5" cx="124.5" cy="29.46" rx="10" ry="12.46"/>
+      <path class="cls-5" d="M107.5,101.43V140h11.09c1.54-13.16,3.6-30.57,3.94-32.83.43-2.76,4.7-2.76,5.12,0,.35,2.26,2.74,19.67,4.45,32.83h10.4V99h6l-.33-12.33-.67-25.2,8.42,2.19a4.54,4.54,0,0,0,1.93.25,4.49,4.49,0,0,0,1.48-.38l19-9.45a4.54,4.54,0,1,0-3.75-8.27L158,52.64,142.08,48c-.93-.28-1.91-.57-2.94-.86l0,0c-2.06-.58-4.18-1.16-5.79-1.59l-2.7-.72-6,12.48h-.1l-6-12.48s-5.77,1.3-9.89,2.39L107,47.6A8.84,8.84,0,0,0,101.48,52a11.43,11.43,0,0,0-1.28,4.42c-.61,6.36-.6,20.59-1.12,26.31-.19,2-.2,8.56,2.07,11.48A88.76,88.76,0,0,0,107.5,101.43Z"/>
+      <path class="cls-6" d="M178.36,54.08l-19,9.45a4.49,4.49,0,0,1-1.48.38,4.54,4.54,0,0,1-1.93-.25l-8.42-2.19.67,25.2L148.5,99l-47-47A8.84,8.84,0,0,1,107,47.6l1.63-.44c4.12-1.09,9.89-2.39,9.89-2.39l6,12.48h.1l6-12.48,2.7.72c1.61.43,3.73,1,5.79,1.59l0,0c1,.29,2,.58,2.94.86L158,52.64l16.63-6.83a4.54,4.54,0,1,1,3.75,8.27Z"/>
+    </g>
+    <rect class="cls-5" x="167" y="31" width="135" height="5"/>
+    <g>
+      <polygon class="cls-7" points="229 73 229 54.3 209 56.79 209 73 229 73"/>
+      <polygon class="cls-7" points="231 73 256 73 256 50.74 231 54.01 231 73"/>
+      <polygon class="cls-7" points="231 75 231 93.68 256 97.11 256 75 231 75"/>
+      <polygon class="cls-7" points="229 75 209 75 209 90.67 229 93.38 229 75"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-windows10pc-3.svg b/bcs/images/bcs-partner-advanced-management-windows10pc-3.svg
new file mode 100644
index 0000000000..5e772085f1
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-windows10pc-3.svg
@@ -0,0 +1,96 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #aae9fb;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3 {
+        fill: #adbdca;
+      }
+
+      .cls-10, .cls-11, .cls-4, .cls-8 {
+        fill: #fff;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-13, .cls-6 {
+        fill: none;
+      }
+
+      .cls-11, .cls-6 {
+        stroke: #556a8a;
+        stroke-miterlimit: 10;
+      }
+
+      .cls-11, .cls-13, .cls-6 {
+        stroke-width: 2px;
+      }
+
+      .cls-7 {
+        fill: #59b4d9;
+      }
+
+      .cls-8 {
+        opacity: 0.5;
+      }
+
+      .cls-10, .cls-8 {
+        isolation: isolate;
+      }
+
+      .cls-9 {
+        fill: #b8d432;
+      }
+
+      .cls-10 {
+        opacity: 0.1;
+      }
+
+      .cls-12 {
+        fill: #9273b6;
+      }
+
+      .cls-13 {
+        stroke: #fff;
+        stroke-linecap: round;
+        stroke-linejoin: round;
+        fill-rule: evenodd;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-windows10pc-3</title>
+  <rect class="cls-1" x="27.5" y="26" width="345" height="14"/>
+  <rect class="cls-1" x="27.5" y="53" width="345" height="14"/>
+  <rect class="cls-1" x="27.5" y="80" width="345" height="14"/>
+  <polygon class="cls-2" points="244.75 127 127.75 127 135.07 119 237.9 119 244.75 127"/>
+  <polygon class="cls-3" points="233.75 125 138.75 125 142.09 121 230.51 121 233.75 125"/>
+  <polygon class="cls-2" points="211.75 108.5 159.75 108.5 153.75 114.5 217.75 114.5 211.75 108.5"/>
+  <polygon class="cls-2" points="189.25 112 182.25 112 183.65 98 187.85 98 189.25 112"/>
+  <rect class="cls-4" x="110.75" y="18" width="151" height="82" rx="4" ry="4"/>
+  <path class="cls-5" d="M261.25,22V34h-151V22a4,4,0,0,1,4-4h143A4,4,0,0,1,261.25,22Z"/>
+  <rect class="cls-6" x="110" y="18" width="151" height="82" rx="4" ry="4" transform="translate(371 118) rotate(180)"/>
+  <g>
+    <path class="cls-7" d="M184,92a5.49,5.49,0,0,1-3.91-1.62L155.62,65.91a5.53,5.53,0,0,1,0-7.83l24.47-24.47a5.53,5.53,0,0,1,7.83,0l24.46,24.47a5.53,5.53,0,0,1,0,7.83L187.91,90.38A5.49,5.49,0,0,1,184,92"/>
+    <path class="cls-4" d="M200.34,57.31a4.68,4.68,0,0,0-3.92,7.26l-9.29,9.29a5.46,5.46,0,0,0-.79-.45V49.71a4.69,4.69,0,1,0-4.68,0V73.42a5.38,5.38,0,0,0-.76.42l-9.3-9.3a4.82,4.82,0,1,0-2.41,1.88L179,76.2a5.46,5.46,0,1,0,10.06,0l9.81-9.81a4.64,4.64,0,0,0,1.49.26,4.69,4.69,0,0,0,0-9.38Z"/>
+    <rect class="cls-8" x="191.21" y="41.87" width="3.03" height="24.81" transform="translate(18.08 152.2) rotate(-45.01)"/>
+    <rect class="cls-8" x="162.89" y="52.78" width="24.81" height="3.03" transform="translate(12.95 139.86) rotate(-45)"/>
+    <path class="cls-9" d="M187.2,78.34a3.25,3.25,0,1,1-3.25-3.25,3.25,3.25,0,0,1,3.25,3.25"/>
+    <path class="cls-9" d="M186.61,45.67A2.61,2.61,0,1,1,184,43.06a2.61,2.61,0,0,1,2.61,2.61"/>
+    <path class="cls-9" d="M170.28,62a2.61,2.61,0,1,1-2.61-2.61A2.61,2.61,0,0,1,170.28,62"/>
+    <path class="cls-9" d="M202.95,62a2.61,2.61,0,1,1-2.61-2.61A2.61,2.61,0,0,1,202.95,62"/>
+    <path class="cls-10" d="M187.91,33.62a5.53,5.53,0,0,0-7.83,0L155.62,58.09a5.53,5.53,0,0,0,0,7.83l13.85,13.85,26.06-38.53Z"/>
+  </g>
+  <g>
+    <path class="cls-11" d="M232.11,91.63l4.47.67a17.31,17.31,0,0,0,.46,3l-3.69,2.38a1.17,1.17,0,0,0-.66,1.59L233.8,102a1,1,0,0,0,1.43.49l4.49-.94,1.42,2.42-2.58,3.5a1.19,1.19,0,0,0,0,1.6l2.22,2.26a1.44,1.44,0,0,0,1.6,0l3.53-2.53c.8.48,1.76,1.12,2.55,1.61l-1,4.47a1.1,1.1,0,0,0,.62,1.29l2.72,1.13a1,1,0,0,0,1.45-.46l2.43-4a9.35,9.35,0,0,0,2.87.67l.61,4.48a1.1,1.1,0,0,0,1.11,1.13l3-.15c.48.16,1-.32,1.12-.79l.84-4.64a9.64,9.64,0,0,0,2.88-.61l2.38,4a1.59,1.59,0,0,0,1.43.49l2.89-1.26a1.09,1.09,0,0,0,.65-1.27l-1.1-4.34a5.66,5.66,0,0,0,.62-.42c.13-.09.27-.19.4-.3.47-.35.94-.74,1.4-1l3.66,2.74a1,1,0,0,0,1.44-.15l1.34-1.32.75-.75,0,0a1,1,0,0,0,.14-1.41l-2.69-3.7a13.13,13.13,0,0,0,1.78-2.71l4.46,1.3a1.42,1.42,0,0,0,1.46-.78l1.13-2.72a1.39,1.39,0,0,0-.62-1.6l-3.83-2.27c.33-1,.33-1.92.66-2.87L290,92a1.42,1.42,0,0,0,1-1.28V87.83a1.36,1.36,0,0,0-.93-1.29L285.42,86a18.27,18.27,0,0,0-.61-3.21l4-2.37a1,1,0,0,0,.5-1.44l-1.11-2.72a1.49,1.49,0,0,0-1.43-.81l-4.5,1.25c-.47-.8-.94-1.61-1.42-2.41l2.75-3.66a1.48,1.48,0,0,0-.16-1.44L281.23,67a1.2,1.2,0,0,0-1.43-.17l-3.7,2.71c-.8-.5-1.75-1.14-2.55-1.62l1-4.48a1.07,1.07,0,0,0-.62-1.28L271,60.82a1.38,1.38,0,0,0-1.45.47l-2.26,3.84c-1,0-1.92-.33-2.88-.35L264,60.14a1.4,1.4,0,0,0-1.28-1l-3-.18a1.87,1.87,0,0,0-1.12,1.1l-.68,4.49c-1.12.15-2.08.47-3.2.61l-2.21-3.85a1.11,1.11,0,0,0-1.44-.49L248.32,62a1.3,1.3,0,0,0-.82,1.43l1.1,4.33a10.34,10.34,0,0,0-2.41,1.75l-3.67-2.75a1.07,1.07,0,0,0-1.61,0L239,68.63l-.17.16a1.09,1.09,0,0,0,0,1.6l2.69,3.7a7.16,7.16,0,0,0-1.37,1.85l-.12.22c-.1.2-.2.41-.29.63l-4.47-1.3a1.09,1.09,0,0,0-1.28.62L232.68,79a1.63,1.63,0,0,0,.47,1.45l4,2.42a7.93,7.93,0,0,0-.51,2.72l-4.65.76c-.47.17-1,.64-1,1l0,3.2A1.08,1.08,0,0,0,232.11,91.63Z"/>
+    <path class="cls-12" d="M247.16,83.3A15,15,0,1,1,246,89.15,14.82,14.82,0,0,1,247.16,83.3Z"/>
+    <polyline class="cls-13" points="250.24 89.26 257.99 97.01 272.24 82.76"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-get-started-1.svg b/bcs/images/bcs-partner-get-started-1.svg
new file mode 100644
index 0000000000..3fda6d92c6
--- /dev/null
+++ b/bcs/images/bcs-partner-get-started-1.svg
@@ -0,0 +1,116 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+        opacity: 0.7;
+      }
+
+      .cls-10, .cls-2, .cls-6 {
+        fill: none;
+      }
+
+      .cls-2, .cls-6, .cls-7, .cls-8 {
+        stroke: #556a8a;
+      }
+
+      .cls-12, .cls-2, .cls-6, .cls-7, .cls-8 {
+        stroke-miterlimit: 10;
+      }
+
+      .cls-10, .cls-12, .cls-2, .cls-6, .cls-7, .cls-8 {
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        stroke-dasharray: 3 3;
+      }
+
+      .cls-3 {
+        fill: #556a8a;
+      }
+
+      .cls-12, .cls-4, .cls-8 {
+        fill: #fff;
+      }
+
+      .cls-5 {
+        fill: #bad80a;
+      }
+
+      .cls-15, .cls-7 {
+        fill: #e5e5e5;
+      }
+
+      .cls-9 {
+        fill: #ffc52b;
+      }
+
+      .cls-10 {
+        stroke: #fff;
+        stroke-linecap: round;
+        stroke-linejoin: round;
+        fill-rule: evenodd;
+      }
+
+      .cls-11 {
+        fill: #2bc7f4;
+      }
+
+      .cls-12 {
+        stroke: #00bcf2;
+      }
+
+      .cls-13 {
+        fill: #ff9f2b;
+      }
+
+      .cls-14 {
+        fill: #ff8c00;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-get-started-1</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M264.1,55.27A39.37,39.37,0,0,0,186.39,54a26.79,26.79,0,0,0-43,13.62,23.42,23.42,0,1,0-5.56,46.16H269.57C282.94,111.1,293,98.7,293,84.54A29.27,29.27,0,0,0,264.1,55.27Z"/>
+    <g>
+      <polyline class="cls-2" points="136 96.22 220.03 96 220 51.82 269 51.82 269 95 337.83 95"/>
+      <polygon class="cls-3" points="331.2 103.18 329.84 101.72 337.06 95 329.84 88.29 331.2 86.82 340 95 331.2 103.18"/>
+    </g>
+    <g>
+      <polygon class="cls-4" points="198.2 77 235 77 228.6 97 203.18 97 198.2 77"/>
+      <polygon class="cls-5" points="198.2 77 235 77 232.6 84 199.8 84 198.2 77"/>
+      <polyline class="cls-6" points="198.2 77 235 77 228.92 97 203.07 97 195.46 69 188 69"/>
+      <polyline class="cls-6" points="201.63 91.73 204.98 103 231 103"/>
+      <circle class="cls-7" cx="210" cy="107" r="4"/>
+      <circle class="cls-7" cx="224" cy="107" r="4"/>
+    </g>
+    <g>
+      <path class="cls-8" d="M239.89,51.39l3.58.54a13.85,13.85,0,0,0,.37,2.43l-3,1.9a.94.94,0,0,0-.53,1.27l.89,2.18a.81.81,0,0,0,1.14.39l3.59-.75,1.14,1.94L245,64.09a1,1,0,0,0,0,1.28l1.78,1.81a1.16,1.16,0,0,0,1.28,0l2.82-2c.64.38,1.41.9,2,1.29L252.18,70a.88.88,0,0,0,.5,1l2.18.9a.82.82,0,0,0,1.16-.37l1.94-3.2a7.48,7.48,0,0,0,2.3.54l.49,3.58a.88.88,0,0,0,.89.9l2.43-.12c.38.13.78-.26.9-.63l.67-3.71a7.72,7.72,0,0,0,2.3-.49l1.9,3.2a1.27,1.27,0,0,0,1.14.39l2.31-1a.87.87,0,0,0,.52-1l-.88-3.47a4.53,4.53,0,0,0,.5-.34l.32-.24c.38-.28.75-.59,1.12-.82l2.93,2.19a.82.82,0,0,0,1.15-.12L280,66.18l.6-.6,0,0a.83.83,0,0,0,.11-1.13l-2.15-3A10.5,10.5,0,0,0,280,59.31l3.57,1a1.13,1.13,0,0,0,1.17-.62l.9-2.18a1.11,1.11,0,0,0-.5-1.28l-3.06-1.82c.26-.76.26-1.54.53-2.3l3.58-.49a1.13,1.13,0,0,0,.78-1v-2.3a1.09,1.09,0,0,0-.74-1l-3.72-.41a14.61,14.61,0,0,0-.49-2.57l3.21-1.9a.81.81,0,0,0,.4-1.15l-.89-2.18a1.19,1.19,0,0,0-1.14-.65l-3.6,1c-.38-.64-.75-1.29-1.14-1.93l2.2-2.93a1.18,1.18,0,0,0-.13-1.15l-1.78-1.81a1,1,0,0,0-1.14-.14l-3,2.17c-.64-.4-1.4-.91-2-1.3l.78-3.58a.86.86,0,0,0-.5-1l-2.3-1a1.1,1.1,0,0,0-1.16.38l-1.81,3.07c-.77,0-1.54-.26-2.3-.28l-.35-3.71a1.12,1.12,0,0,0-1-.77L262,25.29a1.5,1.5,0,0,0-.9.88l-.54,3.59c-.9.12-1.66.38-2.56.49l-1.77-3.08a.89.89,0,0,0-1.15-.39l-2.18.89a1,1,0,0,0-.66,1.14l.88,3.46a8.27,8.27,0,0,0-1.93,1.4l-2.94-2.2a.86.86,0,0,0-1.29,0L245.39,33l-.14.13a.87.87,0,0,0,0,1.28l2.15,3a5.73,5.73,0,0,0-1.1,1.48l-.1.18c-.08.16-.16.33-.23.5l-3.58-1a.87.87,0,0,0-1,.5l-1,2.3a1.3,1.3,0,0,0,.38,1.16l3.19,1.94a6.34,6.34,0,0,0-.41,2.18l-3.72.61c-.38.14-.77.51-.77.78l0,2.56A.86.86,0,0,0,239.89,51.39Z"/>
+      <circle class="cls-9" cx="263" cy="49.35" r="12"/>
+      <polyline class="cls-10" points="254.5 49.82 260.5 55.82 270.5 44.82"/>
+    </g>
+    <circle class="cls-11" cx="310" cy="95" r="6"/>
+    <circle class="cls-11" cx="182" cy="95" r="6"/>
+    <circle class="cls-11" cx="220" cy="53" r="6"/>
+    <path class="cls-12" d="M150.51,60.83v-.6a24.19,24.19,0,0,0-.78-6A21.75,21.75,0,0,0,114,38.78c-5.29-6.66-12-10-21.06-10C77,28.8,65,42.69,64.72,58.34c0,1.08.27,1.89.27,3-8.36,4-13.22,11.06-13.22,20,0,12.73,10,22.92,23.27,23.67,1.22,8.83,9.14,17,22.71,17,11.45,0,18.27.93,26.62-8.47a28.13,28.13,0,0,0,13.31,3.63c16,0,29-14.21,29-30.25A29,29,0,0,0,150.51,60.83Z"/>
+    <g>
+      <g>
+        <g>
+          <path class="cls-13" d="M96.73,96.37c-.89.29-1.84.56-2.83.83C99.84,72.54,111.55,77,111.55,77l1.91,1.81.07.23C113.94,80.68,115.53,90.41,96.73,96.37Z"/>
+          <path class="cls-14" d="M96.73,96.37c5.81-20.31,15.79-17.66,16.8-17.33C113.94,80.68,115.53,90.41,96.73,96.37Z"/>
+          <polygon class="cls-3" points="114.46 83.7 106.16 75.4 112.8 73.74 115.91 76.87 114.46 83.7"/>
+        </g>
+        <polygon class="cls-3" points="116.11 65.31 93.7 64.48 90.38 61.16 109.47 52.03 117.45 55.03 116.11 65.31"/>
+        <polygon class="cls-3" points="125.6 72.08 126.43 94.5 129.75 97.82 138.88 78.72 135.89 70.74 125.6 72.08"/>
+        <g>
+          <path class="cls-4" d="M121.13,82h-.25l-.2-.18L108.85,69.45l0-.29a49,49,0,0,1,13.44-23.81C133.08,34.67,158.12,30.17,159.18,30l.82-.14-.14.82s-.44,2.61-1.33,6.4c-2.44,10.26-6.81,24-13.77,31C133.91,78.93,122.12,82,121.13,82Z"/>
+          <path class="cls-15" d="M157.89,38.52c-2,8.35-6.29,22.81-13.62,30.17-10.82,10.9-22.6,13.16-23.21,13.28l-6.6-6.6s2.1-12.12,13.29-23.25C135.1,44.81,149.53,40.5,157.89,38.52Z"/>
+          <path class="cls-11" d="M138,36.37l1.07-.39a122.11,122.11,0,0,1,19.75-5.32l1-.17-.17,1a122.35,122.35,0,0,1-5.32,19.75l-.39,1.07Z"/>
+          <path class="cls-6" d="M121.13,82h-.25l-.2-.18L108.85,69.45l0-.29a49,49,0,0,1,13.44-23.81C133.08,34.67,158.12,30.17,159.18,30l.82-.14-.14.82s-.44,2.61-1.33,6.4c-2.44,10.26-6.81,24-13.77,31C133.91,78.93,122.12,82,121.13,82Z"/>
+        </g>
+      </g>
+      <circle class="cls-8" cx="132.81" cy="56.56" r="6"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-identity-manager.svg b/bcs/images/bcs-partner-identity-manager.svg
new file mode 100644
index 0000000000..c75db3c46f
--- /dev/null
+++ b/bcs/images/bcs-partner-identity-manager.svg
@@ -0,0 +1,91 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-12 {
+        fill: #80def9;
+      }
+
+      .cls-2, .cls-7, .cls-9 {
+        fill: none;
+      }
+
+      .cls-2 {
+        stroke: #00bcf2;
+        stroke-linecap: round;
+      }
+
+      .cls-12, .cls-2, .cls-4, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: #00bcf2;
+      }
+
+      .cls-10, .cls-4 {
+        fill: #fff;
+      }
+
+      .cls-12, .cls-4, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6 {
+        fill: #2bc7f4;
+      }
+
+      .cls-8 {
+        fill: #556a8a;
+      }
+
+      .cls-11 {
+        fill: #f1f2f2;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-identity-manager</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M327.31,58.4a36.36,36.36,0,0,0-71.78-1.14,24.75,24.75,0,0,0-39.75,12.58,21.63,21.63,0,1,0-5.14,42.64H332.36c12.35-2.51,21.64-14,21.64-27A27,27,0,0,0,327.31,58.4Z"/>
+    <g>
+      <line class="cls-2" x1="119" y1="62" x2="193" y2="62"/>
+      <polygon class="cls-3" points="186.24 70.18 184.87 68.72 192.09 62 184.87 55.29 186.24 53.82 195.03 62 186.24 70.18"/>
+    </g>
+    <g>
+      <rect class="cls-4" x="57" y="24" width="53" height="91"/>
+      <g>
+        <rect class="cls-5" x="83" y="25" width="26" height="89"/>
+        <rect class="cls-6" x="59" y="47" width="24" height="3"/>
+        <polygon class="cls-7" points="95 33 59 33 59 36 95 36 95 33 95 33"/>
+        <polyline class="cls-7" points="95 33 59 33 59 36 95 36 95 33"/>
+        <rect class="cls-6" x="59" y="40" width="24" height="3"/>
+        <rect class="cls-6" x="59" y="33" width="24" height="3"/>
+        <rect class="cls-8" x="83" y="33" width="28" height="3"/>
+        <rect class="cls-8" x="83" y="40" width="28" height="3"/>
+        <rect class="cls-8" x="83" y="47" width="28" height="3"/>
+      </g>
+      <rect class="cls-8" x="57" y="33" width="4" height="3"/>
+      <rect class="cls-8" x="57" y="40" width="4" height="3"/>
+      <rect class="cls-8" x="57" y="47" width="4" height="3"/>
+    </g>
+    <g>
+      <circle class="cls-4" cx="112.67" cy="83.6" r="12.08"/>
+      <path class="cls-4" d="M93.35,115A19.33,19.33,0,0,1,132,115Z"/>
+    </g>
+    <g>
+      <rect class="cls-9" x="268.73" y="41.87" width="27" height="36" rx="12" ry="12"/>
+      <path class="cls-10" d="M304.73,65.87v32a2,2,0,0,1-2,2H262.69a2,2,0,0,1-2-2v-32a2,2,0,0,1,2-2h40.09A2,2,0,0,1,304.73,65.87Z"/>
+      <path class="cls-5" d="M304.73,65.87v31l-33-33h31A2,2,0,0,1,304.73,65.87Z"/>
+      <path class="cls-9" d="M304.73,97.87a2,2,0,0,1-2,2H262.69a2,2,0,0,1-2-2v-32a2,2,0,0,1,2-2h40.09a2,2,0,0,1,2,2Z"/>
+    </g>
+    <g>
+      <path class="cls-11" d="M254.1,82.49a15.33,15.33,0,1,0-5.48,7.14v5h4.86v5.6h6.4v6.4h9.6V97.31Z"/>
+      <path class="cls-9" d="M254.1,82.49a15.33,15.33,0,1,0-5.48,7.14v5h4.86v5.6h6.4v6.4h9.6V97.31Z"/>
+      <circle class="cls-12" cx="235.73" cy="71.51" r="3.24"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-install-2.svg b/bcs/images/bcs-partner-install-2.svg
new file mode 100644
index 0000000000..e112e26bc1
--- /dev/null
+++ b/bcs/images/bcs-partner-install-2.svg
@@ -0,0 +1,90 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #556a8a;
+      }
+
+      .cls-2, .cls-5 {
+        fill: #fcfcfc;
+      }
+
+      .cls-3 {
+        fill: #e5e5e5;
+      }
+
+      .cls-4 {
+        fill: none;
+      }
+
+      .cls-4, .cls-5 {
+        stroke: #556a8a;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-6 {
+        fill: #999;
+      }
+
+      .cls-7 {
+        fill: #2bc7f4;
+      }
+
+      .cls-8 {
+        fill: #414042;
+      }
+
+      .cls-9 {
+        fill: #e4edf1;
+      }
+
+      .cls-10 {
+        fill: #fff;
+      }
+
+      .cls-11 {
+        fill: #ffb900;
+      }
+
+      .cls-12 {
+        fill: #ffc52b;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-install-2</title>
+  <g id="ICONS">
+    <g>
+      <g>
+        <polygon class="cls-1" points="219.53 111.62 213.84 111.62 214.79 98.33 218.58 98.33 219.53 111.62"/>
+        <polygon class="cls-1" points="240.49 109 192.56 109 187.03 112 246.03 112 240.49 109"/>
+      </g>
+      <path class="cls-2" d="M280.6,30.92V97.4H153V30.92A4,4,0,0,1,157,27H276.64A4,4,0,0,1,280.6,30.92Z"/>
+      <path class="cls-3" d="M280.6,30.92V46.8H153V30.92A4,4,0,0,1,157,27H276.64A4,4,0,0,1,280.6,30.92Z"/>
+      <path class="cls-4" d="M280,98V31.89A3.93,3.93,0,0,0,276.06,28H156.94A3.93,3.93,0,0,0,153,31.89V98Z"/>
+    </g>
+    <g>
+      <rect class="cls-5" x="269" y="67" width="30" height="55" rx="4" ry="4"/>
+      <rect class="cls-3" x="272" y="74.99" width="23" height="40"/>
+      <path class="cls-6" d="M288.27,73h-7.54c-.4,0-.73-.45-.73-1s.33-1,.73-1h7.54c.4,0,.73.45.73,1S288.67,73,288.27,73Z"/>
+    </g>
+    <rect class="cls-1" x="197" y="83" width="36" height="2"/>
+    <polygon class="cls-1" points="232.44 56.59 216 73.04 216 35 214 35 214 73.04 197.86 56.59 196.53 58.02 215.26 76.9 233.91 58.02 232.44 56.59"/>
+    <path class="cls-7" d="M314.49,68.58a1.2,1.2,0,0,0,1.27.46l2.32-.75a1.2,1.2,0,0,0,.6-1.5l-.7-2.91c-.31-.74-.31-1.51,1.65-3.28a2.1,2.1,0,0,1,2-.31l3.13,1a1.41,1.41,0,0,0,1.2-.5l1.19-2.4a1.25,1.25,0,0,0-.71-1.37l-2.67-1.65a1.52,1.52,0,0,1-.81-1.73s0-3.09,1.2-3.58l2.59-1.21a1.49,1.49,0,0,0,.6-1.49l-1-2.46a.92.92,0,0,0-1.21-.49l-.06,0-2.92.71c-.76.29-2.86-1.42-3.29-1.7a3,3,0,0,1-.47-2.2l1.06-2.76a1.35,1.35,0,0,0-.58-1.59l-2.32-.79a1.2,1.2,0,0,0-1.46.36l-1.41,2.83c-.36.69-1.16,1.45-3.42,1,0,0-1.73-.57-2.07-1.26l-1.25-3a1.2,1.2,0,0,0-1.27-.46l-2.46,1a.92.92,0,0,0-.43,1.23v0l.57,3.14c.27,1.09-1.29,2.63-1.58,3.06a2,2,0,0,1-2.19.53l-3-1.18a1.46,1.46,0,0,0-1.37.71l-1.19,2.4a1.65,1.65,0,0,0,.71,1.37l2.72,1.65c1.54.71,1.05,2.32,1,3.42,0,.59-.1,1.2-1.33,1.67L294.5,56.1a1.2,1.2,0,0,0-.46,1.27l1,2.46a1.2,1.2,0,0,0,1.13.69l3-.93c1.09-.27,1.55,0,1.86.52a16.77,16.77,0,0,1,1.3,1.42,1.68,1.68,0,0,1,.64,1.91l-1.18,3a1.45,1.45,0,0,0,.71,1.36l2.17,1a1.2,1.2,0,0,0,1.46-.36l1.43-2.85a1.9,1.9,0,0,1,1.86-1l1.77.15c.73-.17,1.2.1,1.8,1.1l1.43,2.74m2.3-18.47A6.59,6.59,0,0,1,313,58.36a6.12,6.12,0,0,1-8-3.23q-.12-.27-.21-.56a6.29,6.29,0,0,1,3.65-8,6.37,6.37,0,0,1,8.34,3.4l.06.15"/>
+    <g>
+      <rect class="cls-5" x="75" y="44" width="92" height="68" rx="4" ry="4"/>
+      <path class="cls-8" d="M171,118H70.18A4,4,0,0,1,66,115H175S173.79,118,171,118Z"/>
+      <polygon class="cls-1" points="66.1 115 74.02 110 168 110 175 115 66.1 115"/>
+      <polygon class="cls-9" points="70 115 74.6 112 167.36 112 171 115 70 115"/>
+      <rect class="cls-7" x="81" y="51" width="80" height="53"/>
+      <polygon class="cls-10" points="116 75.9 116 62 101 64.61 101 75.9 116 75.9"/>
+      <polygon class="cls-10" points="118 76 136 76 136 59.64 118 62.03 118 76"/>
+      <polygon class="cls-10" points="118 78 118 91.85 136 94.35 136 78 118 78"/>
+      <polygon class="cls-10" points="116 78 101 78 101 89.45 116 91.48 116 78"/>
+    </g>
+    <g>
+      <path class="cls-11" d="M281.74,32.9,295.16,12H279.95L259.88,41.7H274L261,66.14,278.17,50.8l20.51-17.9Z"/>
+      <path class="cls-12" d="M281.74,32.9,295.16,12h-6.44L268.67,41.7H274L261,66.14,278.17,50.8l20.51-17.9Z"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-office-migration-1.svg b/bcs/images/bcs-partner-office-migration-1.svg
new file mode 100644
index 0000000000..4d3078c578
--- /dev/null
+++ b/bcs/images/bcs-partner-office-migration-1.svg
@@ -0,0 +1,67 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+      }
+
+      .cls-2 {
+        fill: #d1d3d4;
+      }
+
+      .cls-3 {
+        fill: #556a8a;
+      }
+
+      .cls-4 {
+        fill: #fff;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6, .cls-8 {
+        fill: none;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-6 {
+        stroke: #556a8a;
+      }
+
+      .cls-7 {
+        fill: #d83b01;
+      }
+
+      .cls-8 {
+        stroke: #00bcf2;
+        stroke-linecap: round;
+      }
+
+      .cls-9 {
+        fill: #00bcf2;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-identitiy-integration-1</title>
+  <g id="ICONS">
+    <g>
+      <rect class="cls-1" x="83" y="63.13" width="233" height="4.87"/>
+      <rect class="cls-2" x="83" y="72.13" width="233" height="4.87"/>
+      <rect class="cls-1" x="83" y="81.13" width="233" height="4.87"/>
+      <polygon class="cls-3" points="222.61 123 177.39 123 172.17 128 227.83 128 222.61 123"/>
+      <polygon class="cls-3" points="203.05 123.94 196.95 123.94 198.17 107.75 201.83 107.75 203.05 123.94"/>
+      <rect class="cls-4" x="134" y="38" width="132" height="72" rx="4" ry="4" transform="translate(400 148) rotate(180)"/>
+      <path class="cls-5" d="M265,57V42.57C265,40,263.78,38,261.11,38H138.9a4.76,4.76,0,0,0-4.9,4.57V57Z"/>
+      <rect class="cls-6" x="134" y="38" width="132" height="72" rx="4" ry="4" transform="translate(400 148) rotate(180)"/>
+    </g>
+    <polygon class="cls-7" points="223 95 223 95.61 223 53.45 204.64 48.59 173.31 59.36 174.51 90.41 187 86.38 187 60.96 205 57.08 205 94.44 172.84 90.41 203 100.58 203 100.58 221.94 95.48 222.68 95 223 95"/>
+    <g>
+      <line class="cls-8" x1="138" y1="23" x2="262" y2="23"/>
+      <polygon class="cls-9" points="144.76 31.18 146.13 29.71 138.91 23 146.13 16.29 144.76 14.82 135.97 23 144.76 31.18"/>
+      <polygon class="cls-9" points="255.24 31.18 253.87 29.71 261.1 23 253.87 16.29 255.24 14.82 264.03 23 255.24 31.18"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-policies-set-device-config-1.svg b/bcs/images/bcs-partner-policies-set-device-config-1.svg
new file mode 100644
index 0000000000..78c1851ca6
--- /dev/null
+++ b/bcs/images/bcs-partner-policies-set-device-config-1.svg
@@ -0,0 +1,85 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+        opacity: 0.7;
+      }
+
+      .cls-2 {
+        fill: #5b7484;
+      }
+
+      .cls-3 {
+        fill: #adbdca;
+      }
+
+      .cls-10, .cls-11, .cls-4 {
+        fill: #fff;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6, .cls-8 {
+        fill: none;
+      }
+
+      .cls-6 {
+        stroke: #51636b;
+      }
+
+      .cls-10, .cls-11, .cls-6, .cls-8, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-7 {
+        fill: #556a8a;
+      }
+
+      .cls-10, .cls-8, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-9 {
+        fill: #55d2f6;
+      }
+
+      .cls-11 {
+        stroke: #2bc7f4;
+      }
+
+      .cls-12 {
+        fill: #2bc7f4;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-policies-set-device-config-1</title>
+  <path class="cls-1" d="M288.1,67c-2.75-17.56-19.14-31-39-31-19.39,0-35.49,12.91-38.75,29.91a28.11,28.11,0,0,0-17.16-5.73c-12.39,0-22.79,7.75-25.86,18.28a25.29,25.29,0,0,0-5.56-.64c-12.94,0-23.43,9.66-23.43,21.59S148.87,121,161.81,121H293.57C306.94,118.5,317,107.07,317,94,317,79.23,304.1,67.24,288.1,67Z"/>
+  <polygon class="cls-2" points="228.38 110 133.62 110 139.54 103 222.84 103 228.38 110"/>
+  <polygon class="cls-3" points="219.47 108 142.53 108 145.23 105 216.85 105 219.47 108"/>
+  <polygon class="cls-2" points="201.31 95 159.88 95 155.09 100 206.09 100 201.31 95"/>
+  <polygon class="cls-2" points="183.43 98.5 177.76 98.5 178.89 87.16 182.3 87.16 183.43 98.5"/>
+  <rect class="cls-4" x="120" y="22" width="122" height="66" rx="4" ry="4"/>
+  <path class="cls-5" d="M242,26V38H120V26a4,4,0,0,1,4-4H238A4,4,0,0,1,242,26Z"/>
+  <rect class="cls-6" x="120" y="22" width="122" height="66" rx="4" ry="4" transform="translate(362 110) rotate(180)"/>
+  <g>
+    <polygon class="cls-7" points="177 58 177 42.62 161 44.68 161 58 177 58"/>
+    <polygon class="cls-7" points="179 58 200 58 200 40 179 42.7 179 58"/>
+    <polygon class="cls-7" points="179 60 179 75.17 200 78 200 60 179 60"/>
+    <polygon class="cls-7" points="177 60 161 60 161 72.68 177 74.92 177 60"/>
+  </g>
+  <g>
+    <path class="cls-4" d="M315,57.75a7.51,7.51,0,0,1-.61,3,7.76,7.76,0,0,1-4.13,4.12,7.43,7.43,0,0,1-3,.61L303,65v40.11c0,3-1.88,6.89-6,6.89H261V57.08A10.57,10.57,0,0,1,261,56a4.38,4.38,0,0,1,.31-1.22,7.15,7.15,0,0,1,.64-1.19,7.28,7.28,0,0,1,1-1.27,2.25,2.25,0,0,1,.24-.21,7.39,7.39,0,0,1,2.23-1.45,7.88,7.88,0,0,1,3-.61h38.75a7.6,7.6,0,0,1,3,.61,7.76,7.76,0,0,1,4.13,4.12A7.51,7.51,0,0,1,315,57.75Z"/>
+    <path class="cls-5" d="M315,57.75a7.51,7.51,0,0,1-.61,3,7.76,7.76,0,0,1-4.13,4.12,7.43,7.43,0,0,1-3,.61L303,65v1H261V57.08A10.57,10.57,0,0,1,261,56a4.38,4.38,0,0,1,.31-1.22,7.15,7.15,0,0,1,.64-1.19,7.28,7.28,0,0,1,1-1.27,2.25,2.25,0,0,1,.24-.21,7.39,7.39,0,0,1,2.23-1.45,7.88,7.88,0,0,1,3-.61h38.75a7.6,7.6,0,0,1,3,.61,7.76,7.76,0,0,1,4.13,4.12A7.51,7.51,0,0,1,315,57.75Z"/>
+    <path class="cls-8" d="M315,57.75a7.48,7.48,0,0,1-.61,3,7.62,7.62,0,0,1-1.66,2.46,7.82,7.82,0,0,1-2.47,1.66,7.38,7.38,0,0,1-3,.61L303,65v40.11c0,3-1.88,6.89-6,6.89h-7.88L261,104V57.75a15.22,15.22,0,0,1,.05-1.8,4.3,4.3,0,0,1,.31-1.22A7.73,7.73,0,0,1,263,52.27a7.82,7.82,0,0,1,2.47-1.66,7.54,7.54,0,0,1,3-.61h38.75a7.54,7.54,0,0,1,3,.61,7.82,7.82,0,0,1,2.47,1.66,7.73,7.73,0,0,1,1.66,2.46A7.49,7.49,0,0,1,315,57.75Z"/>
+    <path class="cls-7" d="M307.13,61.63a3.75,3.75,0,0,0,1.51-.3,3.94,3.94,0,0,0,2.06-2.06,3.94,3.94,0,0,0,0-3,3.94,3.94,0,0,0-2.06-2.06,3.94,3.94,0,0,0-3,0,3.94,3.94,0,0,0-2.06,2.06,3.75,3.75,0,0,0-.3,1.51L302.88,62Z"/>
+    <path class="cls-9" d="M294,112c-3-1-5-2.89-5-8,0-6,6-8,5.43-8H262a8,8,0,0,0,0,16h31.27"/>
+  </g>
+  <path class="cls-10" d="M82.45,77.45l4.47.67a17.31,17.31,0,0,0,.46,3l-3.69,2.38A1.17,1.17,0,0,0,83,85.13l1.11,2.73a1,1,0,0,0,1.43.49l4.49-.94,1.42,2.42-2.58,3.5a1.19,1.19,0,0,0,0,1.6l2.22,2.26a1.44,1.44,0,0,0,1.6,0l3.53-2.53c.8.48,1.76,1.12,2.55,1.61l-1,4.47a1.1,1.1,0,0,0,.62,1.29l2.72,1.13a1,1,0,0,0,1.45-.46l2.43-4a9.35,9.35,0,0,0,2.87.67l.61,4.48a1.1,1.1,0,0,0,1.11,1.13l3-.15c.48.16,1-.32,1.12-.79l.84-4.64a9.64,9.64,0,0,0,2.88-.61l2.38,4a1.59,1.59,0,0,0,1.43.49L124.2,102a1.09,1.09,0,0,0,.65-1.27l-1.1-4.34a5.66,5.66,0,0,0,.62-.42c.13-.09.27-.19.4-.3.47-.35.94-.74,1.4-1l3.66,2.74a1,1,0,0,0,1.44-.15l1.34-1.32.75-.75,0,0a1,1,0,0,0,.14-1.41l-2.69-3.7a13.13,13.13,0,0,0,1.78-2.71l4.46,1.3a1.42,1.42,0,0,0,1.46-.78l1.13-2.72a1.39,1.39,0,0,0-.62-1.6l-3.83-2.27c.33-1,.33-1.92.66-2.87l4.48-.61a1.42,1.42,0,0,0,1-1.28V73.65a1.36,1.36,0,0,0-.93-1.29l-4.65-.51a18.27,18.27,0,0,0-.61-3.21l4-2.37a1,1,0,0,0,.5-1.44l-1.11-2.72a1.49,1.49,0,0,0-1.43-.81l-4.5,1.25c-.47-.8-.94-1.61-1.42-2.41L134,56.48a1.48,1.48,0,0,0-.16-1.44l-2.22-2.26a1.2,1.2,0,0,0-1.43-.17l-3.7,2.71c-.8-.5-1.75-1.14-2.55-1.62l1-4.48a1.07,1.07,0,0,0-.62-1.28l-2.87-1.3a1.38,1.38,0,0,0-1.45.47l-2.26,3.84c-1,0-1.92-.33-2.88-.35L114.35,46a1.4,1.4,0,0,0-1.28-1l-3-.18a1.87,1.87,0,0,0-1.12,1.1l-.68,4.49c-1.12.15-2.08.47-3.2.61l-2.21-3.85a1.11,1.11,0,0,0-1.44-.49l-2.72,1.11a1.3,1.3,0,0,0-.82,1.43l1.1,4.33a10.34,10.34,0,0,0-2.41,1.75l-3.67-2.75a1.07,1.07,0,0,0-1.61,0l-1.92,1.9-.17.16a1.09,1.09,0,0,0,0,1.6l2.69,3.7a7.16,7.16,0,0,0-1.37,1.85l-.12.22c-.1.2-.2.41-.29.63l-4.47-1.3a1.09,1.09,0,0,0-1.28.62L83,64.81a1.63,1.63,0,0,0,.47,1.45l4,2.42A7.93,7.93,0,0,0,87,71.4l-4.65.76c-.47.17-1,.64-1,1l0,3.2A1.08,1.08,0,0,0,82.45,77.45Z"/>
+  <path class="cls-11" d="M97.5,69.12A15,15,0,1,1,96.34,75,14.82,14.82,0,0,1,97.5,69.12Z"/>
+  <path class="cls-7" d="M120.53,68.27l-2.83,2.83-2.4.42.28-2.55,2.83-2.83a5.11,5.11,0,0,0-5.09.85,4.24,4.24,0,0,0-.57,4.81l-9.69,9.69a1.44,1.44,0,0,0,.21,2.05,1.26,1.26,0,0,0,1.91.07l9.69-9.69a4.24,4.24,0,0,0,4.81-.57A5.11,5.11,0,0,0,120.53,68.27Z"/>
+  <path class="cls-12" d="M110.73,74.73,107,71l-.71-2.12-3.54-2.12-1.41,1.41,2.12,3.54,2.12.71,3.73,3.73a2,2,0,0,0,.51,1.92l6.36,6.36A2,2,0,0,0,119,81.61l-6.36-6.36A2,2,0,0,0,110.73,74.73Z"/>
+</svg>
diff --git a/bcs/images/bcs-partner-policies-view-policies-2.svg b/bcs/images/bcs-partner-policies-view-policies-2.svg
new file mode 100644
index 0000000000..a9864295ae
--- /dev/null
+++ b/bcs/images/bcs-partner-policies-view-policies-2.svg
@@ -0,0 +1,78 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #c6df33;
+      }
+
+      .cls-2, .cls-3 {
+        fill: #fff;
+      }
+
+      .cls-2 {
+        stroke: #00bcf2;
+      }
+
+      .cls-2, .cls-5, .cls-7 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-4 {
+        fill: #e5e5e5;
+      }
+
+      .cls-5 {
+        fill: none;
+      }
+
+      .cls-5, .cls-7 {
+        stroke: #556a8a;
+      }
+
+      .cls-6 {
+        fill: #556a8a;
+      }
+
+      .cls-7 {
+        fill: #55d2f6;
+      }
+
+      .cls-8 {
+        fill: #bad80a;
+      }
+
+      .cls-8, .cls-9 {
+        fill-rule: evenodd;
+      }
+
+      .cls-9 {
+        fill: #d1e55c;
+      }
+
+      .cls-10 {
+        fill: #2bc7f4;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-policies-view-policies-2</title>
+  <path class="cls-1" d="M192.94,46.5v-.45a18,18,0,0,0-.58-4.47A16.18,16.18,0,0,0,165.77,30.1c-3.94-5-8.95-7.42-15.67-7.42-11.84,0-20.77,10.33-21,22,0,.8.2,1.4.2,2.21-6.22,3-9.83,8.23-9.83,14.85,0,9.47,7.45,17,17.31,17.6.91,6.57,6.8,12.67,16.89,12.67,8.51,0,13.59.69,19.8-6.3a20.92,20.92,0,0,0,9.9,2.7c11.93,0,21.6-10.57,21.6-22.5A21.6,21.6,0,0,0,192.94,46.5Z"/>
+  <path class="cls-2" d="M254.1,62c-2.75-17.56-19.14-31-39-31-19.39,0-35.49,12.91-38.75,29.91a28.11,28.11,0,0,0-17.16-5.73c-12.39,0-22.79,7.75-25.86,18.28a25.29,25.29,0,0,0-5.56-.64c-12.94,0-23.43,9.66-23.43,21.59S114.87,116,127.81,116H259.57C272.94,113.5,283,102.07,283,89,283,74.23,270.1,62.24,254.1,62Z"/>
+  <g>
+    <path class="cls-3" d="M268.38,32.38a9.09,9.09,0,0,1-.73,3.64,9.22,9.22,0,0,1-2,3,9.41,9.41,0,0,1-3,2,8.84,8.84,0,0,1-3.62.74l-5.12-.61a1.15,1.15,0,0,0-.56.9V89.67c0,3.57-1.71,8.33-6.67,8.33h-9.48l-33.85-9.68V32.38a18.5,18.5,0,0,1,.06-2.18,5.23,5.23,0,0,1,.37-1.48,9.39,9.39,0,0,1,5-5,9,9,0,0,1,3.62-.74h46.64a9,9,0,0,1,3.62.74,9.39,9.39,0,0,1,5,5A9.1,9.1,0,0,1,268.38,32.38Z"/>
+    <path class="cls-4" d="M268.78,32.87a9.09,9.09,0,0,1-.74,3.65,9.39,9.39,0,0,1-5,5,9,9,0,0,1-3.64.74s-5.14-.29-5.14.3v.3H203.44V32.06a12.79,12.79,0,0,1,.06-1.37,5.3,5.3,0,0,1,.38-1.48,8.65,8.65,0,0,1,.77-1.44,8.81,8.81,0,0,1,1.23-1.54,2.72,2.72,0,0,1,.29-.25,9,9,0,0,1,2.7-1.75,9.54,9.54,0,0,1,3.64-.74h46.89a9.2,9.2,0,0,1,3.64.74,9.39,9.39,0,0,1,5,5A9.09,9.09,0,0,1,268.78,32.87Z"/>
+    <path class="cls-5" d="M268.38,32.38a9.09,9.09,0,0,1-.73,3.64,9.22,9.22,0,0,1-2,3,9.41,9.41,0,0,1-3,2,8.84,8.84,0,0,1-3.62.74l-5.12-.61a1.15,1.15,0,0,0-.56.9V89.67c0,3.57-1.71,8.33-6.67,8.33h-9.48l-33.85-9.68V32.38a18.5,18.5,0,0,1,.06-2.18,5.23,5.23,0,0,1,.37-1.48,9.39,9.39,0,0,1,5-5,9,9,0,0,1,3.62-.74h46.64a9,9,0,0,1,3.62.74,9.39,9.39,0,0,1,5,5A9.1,9.1,0,0,1,268.38,32.38Z"/>
+    <path class="cls-6" d="M259.26,36.55a4.54,4.54,0,0,0,1.83-.37,4.76,4.76,0,0,0,2.49-2.49,4.76,4.76,0,0,0,0-3.66,4.76,4.76,0,0,0-2.49-2.49,4.76,4.76,0,0,0-3.66,0A4.76,4.76,0,0,0,254.93,30a4.54,4.54,0,0,0-.37,1.83L254.11,37Z"/>
+    <path class="cls-7" d="M242.9,98c-3.56-1.19-5.93-3.43-5.93-9.5,0-7.12,7.17-9.5,6.44-9.5H204.95a9.5,9.5,0,0,0,0,19H242"/>
+  </g>
+  <g>
+    <path class="cls-8" d="M184.34,86.36a23,23,0,1,1-23-23A22.88,22.88,0,0,1,184.34,86.36Z"/>
+    <path class="cls-9" d="M184.24,86.36a22.88,22.88,0,0,1-6.85,16.36L144.87,70.21a23,23,0,0,1,39.37,16.15Z"/>
+  </g>
+  <g>
+    <path class="cls-6" d="M179.58,86.38c0,3.76-8.17,13-18.24,13s-18.24-9.22-18.24-13c0-4.12,8.17-12,18.24-12S179.58,82.62,179.58,86.38Z"/>
+    <circle class="cls-3" cx="161.34" cy="86.88" r="8.64"/>
+    <circle class="cls-10" cx="161.34" cy="86.88" r="5.76"/>
+    <circle class="cls-3" cx="163.26" cy="84" r="2.88"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-prepare-office-1.svg b/bcs/images/bcs-partner-prepare-office-1.svg
new file mode 100644
index 0000000000..4a32ab1c8a
--- /dev/null
+++ b/bcs/images/bcs-partner-prepare-office-1.svg
@@ -0,0 +1,66 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3, .cls-4 {
+        fill: #fff;
+      }
+
+      .cls-3 {
+        stroke: #bad80a;
+      }
+
+      .cls-3, .cls-6, .cls-8 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6, .cls-8 {
+        fill: none;
+        stroke: #556a8a;
+      }
+
+      .cls-7 {
+        fill: #d83b01;
+      }
+
+      .cls-8 {
+        stroke-linecap: round;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-prepare-office-1</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M328.07,65.17l-8.31-1.58a33.25,33.25,0,0,0-.64-5.72l7.08-4.18a2.18,2.18,0,0,0,1.34-2.93l-1.87-5.18a1.88,1.88,0,0,0-2.65-1L314.58,46l-2.49-4.61L317.18,35a2.25,2.25,0,0,0,.13-3l-4-4.38c-.57-.62-1.77-.67-3-.13L303.51,32c-1.45-1-3.19-2.23-4.64-3.2l2.18-8.29A2.06,2.06,0,0,0,300,18l-5-2.31a1.9,1.9,0,0,0-2.74.77l-4.83,7.29a17.23,17.23,0,0,0-5.33-1.45l-.81-8.42a2.05,2.05,0,0,0-2-2.2l-5.69,0c-.89-.33-1.83.53-2.17,1.4l-1.9,8.61a17.72,17.72,0,0,0-5.44.94L259.94,15a3,3,0,0,0-2.65-1l-5.5,2.15a2,2,0,0,0-1.31,2.33l1.72,8.18c-1.53.83-3.09,2.25-4.64,3.09l-6.65-5.4a1.94,1.94,0,0,0-2.69.18l-2.61,2.38-1.45,1.34,0,0a1.93,1.93,0,0,0-.38,2.63L238.49,38c-1.28,1.74-2.84,3.17-3.52,4.94l-8.26-2.77a2.65,2.65,0,0,0-2.77,1.37l-2.33,5a2.6,2.6,0,0,0,1.07,3l7,4.51c-.69,1.77-.77,3.57-1.45,5.34l-8.42.81a2.63,2.63,0,0,0-1.91,2.31L217.64,68a2.61,2.61,0,0,0,1.67,2.49L228,71.74a34.62,34.62,0,0,0,.91,6l-7.69,4.15a1.9,1.9,0,0,0-1,2.66L222,89.76a2.8,2.8,0,0,0,2.63,1.61l8.48-2L235.62,94l-5.41,6.65a2.83,2.83,0,0,0,.18,2.71l4,4.37a2.26,2.26,0,0,0,2.66.43l7.13-4.78c1.45,1,3.19,2.25,4.64,3.2l-2.17,8.31a2,2,0,0,0,1.08,2.44l5.26,2.65a2.58,2.58,0,0,0,2.74-.78l4.51-7c1.8.08,3.57.77,5.36.85l.49,8.72a2.61,2.61,0,0,0,2.31,1.9l5.68.56a3.6,3.6,0,0,0,2.18-2l1.59-8.32c2.1-.21,3.92-.73,6-.92l3.86,7.37a2.06,2.06,0,0,0,2.66,1l5.17-1.87a2.44,2.44,0,0,0,1.63-2.63l-1.72-8.16a21,21,0,0,0,4.64-3.09l6.65,5.41a2,2,0,0,0,3,.13l3.73-3.41.33-.3a2.11,2.11,0,0,0,.73-1.51,2.06,2.06,0,0,0-.61-1.47l-4.77-7.13a14.75,14.75,0,0,0,3.52-4.93L321,95.13A2,2,0,0,0,323.44,94l2.65-5.28a3,3,0,0,0-.78-2.74L318,81.21a15.06,15.06,0,0,0,1.13-5.05l8.75-1.1c.91-.26,1.85-1.12,1.88-1.72l.27-6A2,2,0,0,0,328.07,65.17Zm-54.62,16a14.35,14.35,0,1,1,14.35-14.35A14.35,14.35,0,0,1,273.44,81.13Z"/>
+    <g>
+      <polygon class="cls-2" points="205.51 115 160.28 115 155.06 119 210.72 119 205.51 115"/>
+      <polygon class="cls-2" points="185.57 115.94 179.47 115.94 180.69 99.75 184.35 99.75 185.57 115.94"/>
+      <path class="cls-3" d="M144,61.52v-.59a23.88,23.88,0,0,0-.87-5.9A21.41,21.41,0,0,0,108,39.87c-5.19-6.54-11.83-9.79-20.69-9.79-15.63,0-27.42,13.64-27.69,29,0,1.06.26,1.85.26,2.91-8.21,4-13,10.86-13,19.6,0,12.49,9.83,22.5,22.85,23.24,1.2,8.67,9,16.73,22.29,16.73,11.24,0,17.94.91,26.14-8.32a27.62,27.62,0,0,0,13.07,3.56c15.75,0,28.61-14,28.61-29.7A29.21,29.21,0,0,0,144,61.52Z"/>
+      <rect class="cls-4" x="118" y="30" width="132" height="72" rx="4" ry="4" transform="translate(368 132) rotate(180)"/>
+      <path class="cls-5" d="M249,46V34.57a4.34,4.34,0,0,0-4.4-4.57H122.4A4.34,4.34,0,0,0,118,34.57V46Z"/>
+      <rect class="cls-6" x="118" y="30" width="132" height="72" rx="4" ry="4" transform="translate(368 132) rotate(180)"/>
+    </g>
+    <polygon class="cls-7" points="200 86 200 86 200 52.83 186.76 49 164.02 57.47 163.9 81.91 172 78.74 172 58.74 188 55.68 188 85.08 164.83 81.91 187 89.91 187 89.91 200.12 86.14 200 86 200 86"/>
+    <g>
+      <line class="cls-8" x1="90" y1="68" x2="135" y2="68"/>
+      <polygon class="cls-2" points="128.7 76.18 127.34 74.72 134.56 68 127.34 61.29 128.7 59.82 137.5 68 128.7 76.18"/>
+    </g>
+    <g>
+      <path class="cls-4" d="M293.7,70.4,298,73.9a3.06,3.06,0,0,1,1.44,3.17c-.74,2.05-1.77,5.08-3.09,5.33l-4.73,1.7A2,2,0,0,0,290,86.32l1.07,4c.28.77.43,1,1.28,1l3-.08,2.7-.09c2.43-.18,6,6.29,5.35,7.42l-2.69,4.65a2,2,0,0,0,.84,2.38l3.44,2.12a2.44,2.44,0,0,0,2.57-.27l3.12-4.39a2.8,2.8,0,0,1,3.27-.85c1.08.1,5,.89,5.63,2.66l1.51,5.15a2,2,0,0,0,2,1l4.37-.87a2,2,0,0,0,1.36-1.83l-.48-5.18c-.48-2.16.29-2.86,1.12-3.41,2.82-2.67,4.14-2.48,5.74-1.72l4.82,2.31a2.76,2.76,0,0,0,2.59-.27l2.28-3.87a2.45,2.45,0,0,0-.24-2.59l-4.42-3.12A3.29,3.29,0,0,1,339,86.87c.36-.8.28-4.29,2.87-5l4.93-2.09a.07.07,0,0,1,.06,0A1.56,1.56,0,0,0,348.16,78l-.78-3.88-.1-.48a2,2,0,0,0-1.8-1.36l-5.31,1c-1.27.16-3.67-1.76-3.67-1.76-3.21-2.56-2.33-4.62-1.69-5.77l2.68-4.57a2,2,0,0,0-.84-2.38l-3.25-2.53a2.27,2.27,0,0,0-2.77.63l-2.9,4a5,5,0,0,1-3.54,1.37c-.77-.36-1.75-.35-2.57-.73a3,3,0,0,1-2.84-2.33l-1.68-4.77s0-.08,0-.11a1.56,1.56,0,0,0-1.8-1.26l-4.37.89a2.46,2.46,0,0,0-1.54,2.21l.66,4.76c.43,2.13-3.92,5-3.92,5a2.54,2.54,0,0,1-3.18.43l-4.78-2.21a2.09,2.09,0,0,0-2.59.25S292.18,68.76,293.7,70.4ZM309.47,86.6a10.17,10.17,0,0,1-.74-2.34,10.77,10.77,0,0,1,8-12.69v0l.26,0a10.81,10.81,0,0,1,12.46,8.57.56.56,0,0,1,0,.13,10.27,10.27,0,0,1-7.81,12.16c-.32.08-.64.15-1,.22A10.41,10.41,0,0,1,309.47,86.6Z"/>
+      <path class="cls-5" d="M293.7,70.4,298,73.9a3.06,3.06,0,0,1,1.44,3.17c-.74,2.05-1.77,5.08-3.09,5.33l-4.73,1.7A2,2,0,0,0,290,86.32l1.07,4c.28.77.43,1,1.28,1l3-.08,14.1-4.65a10.17,10.17,0,0,1-.74-2.34,10.77,10.77,0,0,1,8-12.69v0l.26,0a10.81,10.81,0,0,1,12.46,8.57.56.56,0,0,1,0,.13l17.94-6.06-.1-.48a2,2,0,0,0-1.8-1.36l-5.31,1c-1.27.16-3.67-1.76-3.67-1.76-3.21-2.56-2.33-4.62-1.69-5.77l2.68-4.57a2,2,0,0,0-.84-2.38l-3.25-2.53a2.27,2.27,0,0,0-2.77.63l-2.9,4a5,5,0,0,1-3.54,1.37c-.77-.36-1.75-.35-2.57-.73a3,3,0,0,1-2.84-2.33l-1.68-4.77s0-.08,0-.11a1.56,1.56,0,0,0-1.8-1.26l-4.37.89a2.46,2.46,0,0,0-1.54,2.21l.66,4.76c.43,2.13-3.92,5-3.92,5a2.54,2.54,0,0,1-3.18.43l-4.78-2.21a2.09,2.09,0,0,0-2.59.25S292.18,68.76,293.7,70.4Z"/>
+      <path class="cls-6" d="M292.36,91.33c-.83,0-1-.27-1.27-1.05l-1.07-4a2,2,0,0,1,1.56-2.23l4.73-1.69c1.33-.25,2.36-3.29,3.1-5.33A3,3,0,0,0,298,73.9L293.7,70.4c-1.52-1.63,1.89-6,1.89-6a2.1,2.1,0,0,1,2.59-.26L303,66.36c1,.62,7.52-3.3,7.11-5.43l-.68-4.76a2.5,2.5,0,0,1,1.54-2.22l4.37-.88a1.55,1.55,0,0,1,1.8,1.25s0,.08,0,.12l1.69,4.76c.3,1.33,8,2.6,8.94,1.7l2.91-4a2.27,2.27,0,0,1,2.77-.64l3.24,2.53a2,2,0,0,1,.84,2.38l-2.69,4.59c-.64,1.14-1.52,3.19,1.69,5.76,0,0,2.4,1.91,3.67,1.75l5.3-1a2,2,0,0,1,1.82,1.37l.88,4.37a1.55,1.55,0,0,1-1.34,1.73h-.05l-4.93,2.09c-2.59.75-2.51,4.24-2.86,5a3.3,3.3,0,0,0,1.27,3.56l4.41,3.12a2.46,2.46,0,0,1,.26,2.59L342.64,100a2.78,2.78,0,0,1-2.59.26L335.23,98c-1.6-.77-2.92-1-5.74,1.72-.83.54-1.59,1.24-1.13,3.41l.49,5.17a2,2,0,0,1-1.37,1.82l-4.37.88a2,2,0,0,1-2-1l-1.5-5.14c-.62-1.78-8.13-2.8-8.91-1.81l-3.12,4.41a2.44,2.44,0,0,1-2.57.25l-3.43-2.12a2,2,0,0,1-.84-2.38l2.68-4.64c.63-1.13-2.92-7.61-5.35-7.42Z"/>
+      <circle class="cls-6" cx="319.05" cy="82.16" r="10.65" transform="translate(94.15 322.92) rotate(-61.39)"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-remove-3.svg b/bcs/images/bcs-partner-remove-3.svg
new file mode 100644
index 0000000000..c0391193d3
--- /dev/null
+++ b/bcs/images/bcs-partner-remove-3.svg
@@ -0,0 +1,150 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #55d2f6;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3, .cls-7 {
+        fill: #fff;
+      }
+
+      .cls-4, .cls-5, .cls-8 {
+        fill: none;
+      }
+
+      .cls-4, .cls-5, .cls-6 {
+        stroke: #556a8a;
+      }
+
+      .cls-4, .cls-5, .cls-6, .cls-7, .cls-8 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-5 {
+        stroke-linecap: round;
+      }
+
+      .cls-6 {
+        fill: #e5e5e5;
+      }
+
+      .cls-7, .cls-8 {
+        stroke: #a80000;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-remove-3</title>
+  <g id="ICONS">
+    <g>
+      <rect class="cls-1" x="144" y="115" width="144" height="8"/>
+      <polygon class="cls-2" points="237.51 113 192.28 113 187.06 117 242.72 117 237.51 113"/>
+      <polygon class="cls-2" points="217.57 113.94 211.47 113.94 212.69 97.75 216.35 97.75 217.57 113.94"/>
+      <rect class="cls-3" x="150" y="28" width="132" height="72" rx="4" ry="4" transform="translate(432 128) rotate(180)"/>
+      <path class="cls-1" d="M281.45,44V32.57A4.71,4.71,0,0,0,276.61,28H154.4a4.71,4.71,0,0,0-4.84,4.57V44Z"/>
+      <rect class="cls-4" x="150" y="28" width="132" height="72" rx="4" ry="4" transform="translate(432 128) rotate(180)"/>
+    </g>
+    <g>
+      <g>
+        <g>
+          <rect class="cls-2" x="177" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="183" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="189" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="195" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="201" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="231" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="231" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="237" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="74" width="4" height="4"/>
+        </g>
+      </g>
+      <g>
+        <g>
+          <rect class="cls-2" x="177" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="183" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="189" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="195" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="201" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="231" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="86" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="86" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="86" width="4" height="4"/>
+        </g>
+      </g>
+    </g>
+    <g>
+      <line class="cls-5" x1="117" y1="69" x2="140.66" y2="69"/>
+      <polygon class="cls-2" points="135.02 75.95 133.86 74.71 140 69 133.86 63.29 135.02 62.05 142.5 69 135.02 75.95"/>
+    </g>
+    <g>
+      <line class="cls-5" x1="305.5" y1="69" x2="329.16" y2="69"/>
+      <polygon class="cls-2" points="323.52 75.95 322.36 74.71 328.5 69 322.36 63.29 323.52 62.05 331 69 323.52 75.95"/>
+    </g>
+    <g>
+      <circle class="cls-6" cx="94.5" cy="55" r="18"/>
+      <path class="cls-6" d="M67,100a27.5,27.5,0,0,1,55,0"/>
+    </g>
+    <circle class="cls-7" cx="282" cy="68" r="17"/>
+    <line class="cls-8" x1="293" y1="80" x2="269" y2="56"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-reset-windows-4.svg b/bcs/images/bcs-partner-reset-windows-4.svg
new file mode 100644
index 0000000000..a4edc0ec2e
--- /dev/null
+++ b/bcs/images/bcs-partner-reset-windows-4.svg
@@ -0,0 +1,85 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-4, .cls-8 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #bad80a;
+      }
+
+      .cls-1, .cls-6 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3 {
+        fill: #adbdca;
+      }
+
+      .cls-5 {
+        fill: #c8edfb;
+      }
+
+      .cls-6 {
+        fill: none;
+        stroke: #556a8a;
+      }
+
+      .cls-7 {
+        fill: #2bc7f4;
+      }
+
+      .cls-7, .cls-8 {
+        fill-rule: evenodd;
+      }
+
+      .cls-9 {
+        fill: #9273b6;
+      }
+
+      .cls-10 {
+        fill: #e5e5e5;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-reset-windows-4</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M283.19,39.54h-3.32c-2,.64-4,1.18-5.89,1.64a31,31,0,0,0-54.26-19.64,35.06,35.06,0,0,0-20.34-6.63c-15.29,0-29,11.23-30.59,24.84A28,28,0,0,0,131,66c0,13.38,9.39,27.56,21.93,30.33a16.66,16.66,0,0,0,5.78.67H283.19C299.79,97,311,82.06,311,67.14,311,51.48,299.79,39.54,283.19,39.54Z"/>
+    <g>
+      <polygon class="cls-2" points="213.92 129 111.99 129 118.36 122 207.96 122 213.92 129"/>
+      <polygon class="cls-3" points="204.34 127 121.57 127 124.48 124 201.52 124 204.34 127"/>
+      <polygon class="cls-2" points="185.51 115 140.28 115 135.06 119 190.72 119 185.51 115"/>
+      <polygon class="cls-2" points="165.57 115.94 159.47 115.94 160.69 103.75 164.35 103.75 165.57 115.94"/>
+      <rect class="cls-4" x="98" y="34" width="132" height="72" rx="4" ry="4" transform="translate(328 140) rotate(180)"/>
+      <path class="cls-5" d="M229.45,50V38.57A4.71,4.71,0,0,0,224.61,34H102.4a4.71,4.71,0,0,0-4.84,4.57V50Z"/>
+      <rect class="cls-6" x="98" y="34" width="132" height="72" rx="4" ry="4" transform="translate(328 140) rotate(180)"/>
+    </g>
+    <g>
+      <path class="cls-6" d="M137.51,83.4a26.51,26.51,0,1,0-1.34-23.87"/>
+      <polygon class="cls-2" points="136.31 58.52 136.31 44 134 44 134 60.94 150.84 60.94 150.84 58.52 136.31 58.52"/>
+    </g>
+    <path class="cls-7" d="M260.54,44.69l-3.79-.54c-.27-.81-.27-1.62-.54-2.43l3.25-1.89a1,1,0,0,0,.54-1.35l-1.08-2.16c0-.54-.54-.81-1.08-.81L254,36.58a5.89,5.89,0,0,0-1.35-2.16l2.17-3.24a.82.82,0,0,0,0-1.08L253,28.2a.82.82,0,0,0-1.08,0l-3.25,2.16c-.54-.54-1.35-.81-1.89-1.35l.81-3.79c.27-.27,0-.81-.54-1.08l-2.17-.81a1.19,1.19,0,0,0-1.35.27l-1.89,3.24c-.81-.27-1.62-.27-2.71-.54l-.54-3.79a.86.86,0,0,0-.81-.81h-2.71a.86.86,0,0,0-.81.81l-.54,3.79c-.81.27-1.62.27-2.44.54l-1.89-3.24c-.27-.54-.81-.54-1.35-.54l-2.44,1.08c-.27,0-.54.54-.54,1.08L225.89,29a5.89,5.89,0,0,0-2.17,1.35l-3.25-2.16a.82.82,0,0,0-1.08,0l-1.89,1.89a.82.82,0,0,0,0,1.08l2.17,3.24c-.54.54-.81,1.35-1.35,1.89l-3.79-.81c-.27-.27-.81,0-1.08.54l-1.08,2.16c0,.54,0,1.08.54,1.35l3.25,1.89c-.27.81-.27,1.89-.54,2.7l-3.79.54a.86.86,0,0,0-.81.81v2.7a.72.72,0,0,0,.81.81l3.79.54a7.89,7.89,0,0,0,.54,2.43l-3.25,1.89a1,1,0,0,0-.54,1.35l1.08,2.43c0,.27.54.54,1.08.54l3.79-1.08a5.89,5.89,0,0,0,1.35,2.16l-2.17,3.24a1.21,1.21,0,0,0,0,1.35l1.89,1.62c.27.27.81.54,1.08.27l3.25-2.43a4.86,4.86,0,0,0,1.89,1.35l-.81,3.79c-.27.27,0,.81.54,1.08l2.17,1.08c.54,0,1.08,0,1.35-.54l1.89-3.24a8,8,0,0,0,2.71.54l.54,3.79a.86.86,0,0,0,.81.81h2.71a.86.86,0,0,0,.81-.81l.54-3.79a7.91,7.91,0,0,0,2.44-.54l1.89,3.24a1,1,0,0,0,1.35.54L247,69.57c.27,0,.54-.54.54-1.08l-1.08-3.79a5.89,5.89,0,0,0,2.17-1.35l3.25,2.43c.27.27.81,0,1.08-.27l1.89-1.62a1.21,1.21,0,0,0,0-1.35l-2.17-3.24A11.45,11.45,0,0,0,254,57.4l3.79,1.08a1.45,1.45,0,0,0,1.08-.81L260,55.51c0-.54,0-1.08-.54-1.35l-3.25-1.89c.27-.81.27-1.62.54-2.7l3.79-.54a.72.72,0,0,0,.81-.81V45.5a.86.86,0,0,0-.81-.81Z"/>
+    <path class="cls-8" d="M251.6,50.91a1.25,1.25,0,0,1-1.89.81l-6.23-4.06c-.81-.27-.81-1.08,0-1.62L249.71,42a1.4,1.4,0,0,1,1.89.81,19.71,19.71,0,0,1,.54,4.06,16.56,16.56,0,0,1-.54,4.06Z"/>
+    <path class="cls-8" d="M250,38.74a1.24,1.24,0,0,1-.81,1.89l-7.31,1.62c-.81.27-1.35-.27-1.08-1.08l1.62-7.3c.27-1.08,1.08-1.35,1.89-.81a17.88,17.88,0,0,1,3.25,2.43A17.86,17.86,0,0,1,250,38.74Z"/>
+    <path class="cls-8" d="M232.11,31.17a15.51,15.51,0,0,1,8.12,0,1.24,1.24,0,0,1,.81,1.89L237,39.55c-.54.81-1.35.81-1.62,0l-4.06-6.49a1.24,1.24,0,0,1,.81-1.89Z"/>
+    <path class="cls-8" d="M240.23,46.85a4.06,4.06,0,0,1-8.12,0,4.07,4.07,0,0,1,8.12,0Z"/>
+    <path class="cls-8" d="M228.05,32.79a1.25,1.25,0,0,1,1.89.81l1.62,7.3c.27.81-.27,1.35-1.35,1.35l-7-1.89c-1.08-.27-1.35-1.08-.81-1.89a9.76,9.76,0,0,1,2.44-3.24,17.88,17.88,0,0,1,3.25-2.43Z"/>
+    <path class="cls-8" d="M220.47,50.64a16.56,16.56,0,0,1-.54-4.06,19.71,19.71,0,0,1,.54-4.06,1.16,1.16,0,0,1,1.89-.54l6.5,3.79a1,1,0,0,1,0,1.89l-6.5,3.79c-.81.54-1.62.27-1.89-.81Z"/>
+    <path class="cls-8" d="M222.1,55a1.19,1.19,0,0,1,.81-1.89l7.31-1.89c.81-.27,1.35.27,1.35,1.35l-1.89,7.3a1.4,1.4,0,0,1-1.89.81,17.88,17.88,0,0,1-3.25-2.43C223.18,56.59,222.1,55,222.1,55Z"/>
+    <path class="cls-8" d="M240,62.27a16.61,16.61,0,0,1-4.06.54,19.77,19.77,0,0,1-4.06-.54,1.4,1.4,0,0,1-.81-1.89l4.06-6.22c.54-.81,1.35-.81,1.62,0l4.06,6.22c.54.81.27,1.62-.81,1.89Z"/>
+    <path class="cls-8" d="M244,60.64c-.81.54-1.62.27-1.89-.81l-1.62-7.3c-.27-.81.27-1.35,1.35-1.08l7.31,1.62A1.4,1.4,0,0,1,250,55a17.86,17.86,0,0,1-2.44,3.24A28.06,28.06,0,0,1,244,60.64Z"/>
+    <path class="cls-9" d="M249.73,101.58l.62-2.23c.29-.83.59-1.11,1.15-1.09l1.28-.38a1.43,1.43,0,0,1,1.53.45l1.5,1.87a.9.9,0,0,0,1.13,0l1.44-1.09a1.09,1.09,0,0,0,.31-1.11l-1.34-2a1.26,1.26,0,0,1,.18-1.51,12.6,12.6,0,0,1,.73-1.25c.15-.44.44-.7,1.29-.67l2.39.2a.9.9,0,0,0,.72-.68l.34-2a.9.9,0,0,0-.54-.86l-2.24-.63c-1-.16-1.15-.59-1.24-1-.2-.8-.81-1.91.21-2.67l1.74-1.64a1.24,1.24,0,0,0,.31-1.12L260,80.62a1.1,1.1,0,0,0-1.12-.31l-2,1.34a1.48,1.48,0,0,1-1.69,0c-.28-.27-1.67-1.16-1.64-2l-.07-2.39v0a.69.69,0,0,0-.51-.84L251,76a.9.9,0,0,0-.86.54l-.46,2.36c-.14.56-1.32,1.25-1.32,1.25-1.6.65-2.3.23-2.68-.23l-1.48-1.86a.9.9,0,0,0-1.13,0L241.5,79a1,1,0,0,0-.18,1.26l1.21,1.86a2.25,2.25,0,0,1,0,1.69c-.28.27-1.55,1.85-2.15,1.76l-2.26-.07h-.05a.69.69,0,0,0-.81.55l-.34,2a1.12,1.12,0,0,0,.68,1l2.09.49c1,.17,1.44,2.44,1.44,2.44a1.14,1.14,0,0,1-.33,1.4l-1.7,1.63a.94.94,0,0,0-.31,1.12L240,97.63a1.06,1.06,0,0,0,1,.18l2.15-1.21a1.57,1.57,0,0,1,1.55-.09c1.71,1,1.83,1.56,1.72,2.15l-.06,2.25a.9.9,0,0,0,.68,1l1.82.19a.9.9,0,0,0,.86-.54m-4.58-13.21,0-.12a4.79,4.79,0,0,1,5.6-3.8,4.72,4.72,0,0,1,3.93,5.32q0,.22-.06.44a4.6,4.6,0,0,1-5.4,3.63,5,5,0,0,1-4.07-5.46"/>
+    <g>
+      <path class="cls-4" d="M263.87,60l3.2,2.63a2.3,2.3,0,0,1,1.08,2.38c-.56,1.54-1.33,3.82-2.32,4l-3.55,1.27A1.52,1.52,0,0,0,261.11,72l.8,3c.21.58.33.76,1,.79l2.25-.06,2-.07c1.83-.13,4.49,4.73,4,5.58l-2,3.49a1.5,1.5,0,0,0,.63,1.79l2.58,1.59a1.83,1.83,0,0,0,1.93-.2l2.35-3.3A2.1,2.1,0,0,1,279.1,84c.81.08,3.77.67,4.23,2l1.14,3.87a1.5,1.5,0,0,0,1.5.72l3.29-.66a1.54,1.54,0,0,0,1-1.38l-.36-3.89c-.36-1.62.22-2.15.84-2.56,2.12-2,3.11-1.87,4.32-1.29l3.62,1.74a2.07,2.07,0,0,0,1.94-.2l1.71-2.91a1.84,1.84,0,0,0-.18-1.94l-3.32-2.35a2.47,2.47,0,0,1-1-2.67c.27-.6.21-3.22,2.15-3.78l3.7-1.57h0a1.17,1.17,0,0,0,1-1.31l-.59-2.92-.08-.36a1.48,1.48,0,0,0-1.36-1l-4,.72c-1,.12-2.75-1.32-2.75-1.32-2.42-1.92-1.75-3.47-1.27-4.34l2-3.44a1.5,1.5,0,0,0-.63-1.79l-2.44-1.9a1.7,1.7,0,0,0-2.08.47l-2.18,3a3.78,3.78,0,0,1-2.66,1c-.58-.27-1.32-.26-1.93-.55a2.26,2.26,0,0,1-2.13-1.75L281.46,48s0-.06,0-.09A1.17,1.17,0,0,0,280.1,47l-3.28.67a1.85,1.85,0,0,0-1.16,1.66l.5,3.58c.32,1.6-2.94,3.75-2.94,3.75a1.91,1.91,0,0,1-2.39.33l-3.59-1.66a1.57,1.57,0,0,0-1.95.19S262.73,58.81,263.87,60Zm11.85,12.18a7.64,7.64,0,0,1-.55-1.76,8.09,8.09,0,0,1,6-9.53v0l.2,0a8.12,8.12,0,0,1,9.36,6.44.42.42,0,0,1,0,.1,7.72,7.72,0,0,1-5.87,9.13l-.73.16A7.82,7.82,0,0,1,275.72,72.22Z"/>
+      <path class="cls-10" d="M263.87,60l3.2,2.63a2.3,2.3,0,0,1,1.08,2.38c-.56,1.54-1.33,3.82-2.32,4l-3.55,1.27A1.52,1.52,0,0,0,261.11,72l.8,3c.21.58.33.76,1,.79l2.25-.06,10.6-3.49a7.64,7.64,0,0,1-.55-1.76,8.09,8.09,0,0,1,6-9.53v0l.2,0a8.12,8.12,0,0,1,9.36,6.44.42.42,0,0,1,0,.1l13.48-4.55-.08-.36a1.48,1.48,0,0,0-1.36-1l-4,.72c-1,.12-2.75-1.32-2.75-1.32-2.42-1.92-1.75-3.47-1.27-4.34l2-3.44a1.5,1.5,0,0,0-.63-1.79l-2.44-1.9a1.7,1.7,0,0,0-2.08.47l-2.18,3a3.78,3.78,0,0,1-2.66,1c-.58-.27-1.32-.26-1.93-.55a2.26,2.26,0,0,1-2.13-1.75L281.46,48s0-.06,0-.09A1.17,1.17,0,0,0,280.1,47l-3.28.67a1.85,1.85,0,0,0-1.16,1.66l.5,3.58c.32,1.6-2.94,3.75-2.94,3.75a1.91,1.91,0,0,1-2.39.33l-3.59-1.66a1.57,1.57,0,0,0-1.95.19S262.73,58.81,263.87,60Z"/>
+      <path class="cls-6" d="M262.86,75.77c-.62,0-.75-.2-1-.79l-.81-3a1.51,1.51,0,0,1,1.17-1.67l3.55-1.27c1-.19,1.77-2.47,2.33-4a2.29,2.29,0,0,0-1.09-2.38L263.88,60c-1.14-1.22,1.42-4.52,1.42-4.52a1.58,1.58,0,0,1,1.95-.19L270.83,57c.78.47,5.65-2.48,5.34-4.08l-.51-3.58a1.88,1.88,0,0,1,1.16-1.67L280.1,47a1.16,1.16,0,0,1,1.35.94V48l1.27,3.58c.23,1,6,2,6.72,1.28l2.18-3a1.71,1.71,0,0,1,2.08-.48l2.44,1.9a1.51,1.51,0,0,1,.63,1.79l-2,3.45c-.48.86-1.14,2.4,1.27,4.33,0,0,1.8,1.43,2.76,1.31l4-.72a1.51,1.51,0,0,1,1.37,1l.66,3.28a1.16,1.16,0,0,1-1,1.3h0L300,68.63c-1.94.56-1.89,3.18-2.15,3.78a2.48,2.48,0,0,0,1,2.68l3.31,2.34a1.85,1.85,0,0,1,.19,1.95l-1.72,2.91a2.09,2.09,0,0,1-1.95.19l-3.62-1.73c-1.2-.58-2.2-.72-4.31,1.29-.62.4-1.2.94-.85,2.56l.37,3.89a1.51,1.51,0,0,1-1,1.37l-3.28.66a1.51,1.51,0,0,1-1.51-.72l-1.13-3.86c-.47-1.34-6.11-2.1-6.7-1.36L274.3,87.9a1.83,1.83,0,0,1-1.93.19l-2.58-1.59a1.51,1.51,0,0,1-.63-1.79l2-3.48c.47-.85-2.19-5.71-4-5.58Z"/>
+      <circle class="cls-6" cx="282.92" cy="68.88" r="8" transform="translate(86.98 284.28) rotate(-61.39)"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-upgrade-2.svg b/bcs/images/bcs-partner-upgrade-2.svg
new file mode 100644
index 0000000000..6caf6e7678
--- /dev/null
+++ b/bcs/images/bcs-partner-upgrade-2.svg
@@ -0,0 +1,60 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+        opacity: 0.7;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3 {
+        fill: #adbdca;
+      }
+
+      .cls-4, .cls-7 {
+        fill: #fff;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6 {
+        fill: none;
+        stroke: #556a8a;
+      }
+
+      .cls-6, .cls-7 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-7 {
+        stroke: #00bcf2;
+      }
+
+      .cls-8 {
+        fill: #bad80a;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-upgrade-2</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M300.29,67.13a39.37,39.37,0,0,0-77.71-1.23,26.79,26.79,0,0,0-43,13.62A23.42,23.42,0,1,0,174,125.67H305.76c13.37-2.71,23.43-15.12,23.43-29.28A29.27,29.27,0,0,0,300.29,67.13Z"/>
+    <g>
+      <polygon class="cls-2" points="252 130 135 130 142.32 122 245.15 122 252 130"/>
+      <polygon class="cls-3" points="241 128 146 128 149.34 124 237.76 124 241 128"/>
+      <polygon class="cls-2" points="216 110 164 110 158 116 222 116 216 110"/>
+      <polygon class="cls-2" points="195.25 115.25 188.25 115.25 189.65 101.25 193.85 101.25 195.25 115.25"/>
+      <rect class="cls-4" x="116" y="21" width="151" height="82" rx="4" ry="4"/>
+      <path class="cls-5" d="M267,26V38H116V26a4,4,0,0,1,4-4H263A4,4,0,0,1,267,26Z"/>
+      <rect class="cls-6" x="116" y="22" width="151" height="82" rx="4" ry="4" transform="translate(383 126) rotate(180)"/>
+    </g>
+    <polygon class="cls-2" points="208.64 63.12 191 45.33 191 89 189 89 189 45.33 171.43 63.12 170.06 61.71 190.06 41.5 210.05 61.71 208.64 63.12"/>
+    <path class="cls-7" d="M134.21,35.37v-.42a16.83,16.83,0,0,0-.55-4.18A15.14,15.14,0,0,0,108.79,20a17.52,17.52,0,0,0-14.66-6.94c-11.08,0-19.43,9.67-19.62,20.55,0,.75.19,1.31.19,2.07-5.82,2.82-9.2,7.7-9.2,13.89,0,8.86,7,16,16.2,16.47.85,6.15,6.36,11.86,15.8,11.86,8,0,12.72.64,18.53-5.89a19.58,19.58,0,0,0,9.26,2.53c11.16,0,20.21-9.89,20.21-21.05A20.21,20.21,0,0,0,134.21,35.37Z"/>
+    <path class="cls-8" d="M109,65.3a1.32,1.32,0,0,0,1.44.53l2.64-.84a1.41,1.41,0,0,0,.7-1.69L113,60a2,2,0,0,1,.75-2.32c.32-.51.89-.87,1.2-1.37a2.37,2.37,0,0,1,2.32-.34l3.54,1.13a1.6,1.6,0,0,0,1.39-.55l1.32-2.71c.16-.25,0-1.06-.8-1.55l-3.06-1.89a1.73,1.73,0,0,1-.91-2l-.24-.25a2.3,2.3,0,0,0,.28-1.59c-.2-.82,0-1.75,1.41-2.3l3-1.35a1.68,1.68,0,0,0,.69-1.69l-1.06-2.8a1.06,1.06,0,0,0-1.39-.55l0,0-3.29.83a2,2,0,0,1-2.35-.75c-.51-.32-.87-.89-1.37-1.2a3.4,3.4,0,0,1-.59-2.48L115,31.16a1.53,1.53,0,0,0-.64-1.82l-2.62-.91a1.29,1.29,0,0,0-1.66.39L108.42,32a2.16,2.16,0,0,1-2.11,1.16,6.56,6.56,0,0,0-1.75,0L104.3,33a2.24,2.24,0,0,1-2.07-1.23l-1.48-3.36a1.32,1.32,0,0,0-1.44-.53L96.53,29A1.06,1.06,0,0,0,96,30.37l0,0L96.62,34c.3,1.23,0,1.75-.59,2.11-.32.51-.89.87-1.2,1.37a2.23,2.23,0,0,1-2.48.58L89,36.66a1.65,1.65,0,0,0-1.51.84l-1.37,2.71a1.88,1.88,0,0,0,.8,1.55L90,43.65c1.06.63,1.37,1.2.9,2a14.46,14.46,0,0,0,.23,1.91c-.05.64-.12,1.33-1.51,1.88L86.46,51a1.32,1.32,0,0,0-.54,1.44L87,55.25a1.35,1.35,0,0,0,1.28.79L91.72,55c1.23-.3,1.75,0,2.11.59a19,19,0,0,1,1.47,1.61A1.9,1.9,0,0,1,96,59.42L94.65,62.8a1.65,1.65,0,0,0,.8,1.55l2.46,1.16a1.29,1.29,0,0,0,1.66-.39l1.68-3.22a2.11,2.11,0,0,1,2.11-1.16l2,.18c.82-.19,1.34.12,2,1.26l1.6,3.1m2.73-20.88a7.46,7.46,0,0,1-4.34,9.32A6.93,6.93,0,0,1,98,49.36a7.12,7.12,0,0,1,4.22-9.05,7.22,7.22,0,0,1,9.43,3.91l.07.17"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-user-management-add-customer-1.svg b/bcs/images/bcs-user-management-add-customer-1.svg
new file mode 100644
index 0000000000..ce7d0b8c16
--- /dev/null
+++ b/bcs/images/bcs-user-management-add-customer-1.svg
@@ -0,0 +1,99 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+        opacity: 0.7;
+      }
+
+      .cls-10, .cls-2 {
+        fill: none;
+      }
+
+      .cls-10, .cls-11, .cls-2 {
+        stroke: #556a8a;
+      }
+
+      .cls-10, .cls-11, .cls-2, .cls-4 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        stroke-dasharray: 3 3;
+      }
+
+      .cls-3 {
+        fill: #556a8a;
+      }
+
+      .cls-11, .cls-4, .cls-7 {
+        fill: #fff;
+      }
+
+      .cls-4 {
+        stroke: #00bcf2;
+      }
+
+      .cls-5 {
+        fill: #ff9f2b;
+      }
+
+      .cls-6 {
+        fill: #ff8c00;
+      }
+
+      .cls-8 {
+        fill: #e5e5e5;
+      }
+
+      .cls-9 {
+        fill: #2bc7f4;
+      }
+
+      .cls-12 {
+        fill: #008272;
+      }
+    </style>
+  </defs>
+  <title>bcs-user-management-add-customer-1</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M142.81,117.84a27.43,27.43,0,0,1,0-54.85,26.16,26.16,0,0,1,2.87.16A30.78,30.78,0,0,1,188.9,47.57a43.37,43.37,0,0,1,83.57,3.94A33.42,33.42,0,0,1,302,84.56c0,16.11-11.2,30.07-26.63,33.2l-.39.08Z"/>
+    <g>
+      <polyline class="cls-2" points="158.67 87.27 198.08 87.05 237.72 44.49 316.18 44.13"/>
+      <polygon class="cls-3" points="309.59 52.34 308.22 50.88 315.41 44.13 308.16 37.45 309.51 35.98 318.35 44.12 309.59 52.34"/>
+    </g>
+    <path class="cls-4" d="M155.51,63.83v-.6a24.19,24.19,0,0,0-.78-6A21.75,21.75,0,0,0,119,41.78c-5.29-6.66-12-10-21.06-10C82,31.8,70,45.69,69.72,61.34c0,1.08.27,1.89.27,3-8.36,4-13.22,11.06-13.22,20,0,12.73,10,22.92,23.27,23.67,1.22,8.83,9.14,17,22.71,17,11.45,0,18.27.93,26.62-8.47a28.13,28.13,0,0,0,13.31,3.63c16,0,29-14.21,29-30.25A29,29,0,0,0,155.51,63.83Z"/>
+    <g>
+      <g>
+        <g>
+          <path class="cls-5" d="M101.73,99.37c-.89.29-1.84.56-2.83.83C104.84,75.54,116.55,80,116.55,80l1.91,1.81.07.23C118.94,83.68,120.53,93.41,101.73,99.37Z"/>
+          <path class="cls-6" d="M101.73,99.37c5.81-20.31,15.79-17.66,16.8-17.33C118.94,83.68,120.53,93.41,101.73,99.37Z"/>
+          <polygon class="cls-3" points="119.46 86.7 111.16 78.4 117.8 76.74 120.91 79.87 119.46 86.7"/>
+        </g>
+        <polygon class="cls-3" points="121.11 68.31 98.7 67.48 95.38 64.16 114.47 55.03 122.45 58.03 121.11 68.31"/>
+        <polygon class="cls-3" points="130.6 75.08 131.43 97.5 134.75 100.82 143.88 81.72 140.89 73.74 130.6 75.08"/>
+        <g>
+          <path class="cls-7" d="M126.13,85h-.25l-.2-.18L113.85,72.45l0-.29a49,49,0,0,1,13.44-23.81C138.08,37.67,163.12,33.17,164.18,33l.82-.14-.14.82s-.44,2.61-1.33,6.4c-2.44,10.26-6.81,24-13.77,31C138.91,81.93,127.12,85,126.13,85Z"/>
+          <path class="cls-8" d="M162.89,41.52c-2,8.35-6.29,22.81-13.62,30.17-10.82,10.9-22.6,13.16-23.21,13.28l-6.6-6.6s2.1-12.12,13.29-23.25C140.1,47.81,154.53,43.5,162.89,41.52Z"/>
+          <path class="cls-9" d="M143,39.37l1.07-.39a122.11,122.11,0,0,1,19.75-5.32l1-.17-.17,1a122.35,122.35,0,0,1-5.32,19.75l-.39,1.07Z"/>
+          <path class="cls-10" d="M126.13,85h-.25l-.2-.18L113.85,72.45l0-.29a49,49,0,0,1,13.44-23.81C138.08,37.67,163.12,33.17,164.18,33l.82-.14-.14.82s-.44,2.61-1.33,6.4c-2.44,10.26-6.81,24-13.77,31C138.91,81.93,127.12,85,126.13,85Z"/>
+        </g>
+      </g>
+      <circle class="cls-11" cx="137.81" cy="59.56" r="6"/>
+    </g>
+    <g>
+      <circle class="cls-11" cx="231.39" cy="48.89" r="25"/>
+      <g>
+        <circle class="cls-4" cx="231.75" cy="40.41" r="8.44"/>
+        <path class="cls-4" d="M218.25,62.34a13.5,13.5,0,1,1,27,0"/>
+      </g>
+    </g>
+    <g>
+      <circle class="cls-4" cx="198.08" cy="87.37" r="13"/>
+      <rect class="cls-12" x="196.13" y="78.27" width="3.9" height="18.2"/>
+      <rect class="cls-12" x="196.13" y="78.27" width="3.9" height="18.2" transform="translate(110.71 285.45) rotate(-90)"/>
+    </g>
+    <path class="cls-4" d="M302.43,79.92v-.31a12.41,12.41,0,0,0-.4-3.08,11.16,11.16,0,0,0-18.35-7.93,12.92,12.92,0,0,0-10.81-5.12c-8.17,0-14.33,7.13-14.47,15.16,0,.55.14,1,.14,1.52-4.29,2.08-6.78,5.68-6.78,10.25a12.27,12.27,0,0,0,11.95,12.15c.63,4.53,4.69,8.75,11.65,8.75,5.87,0,9.38.47,13.66-4.35a14.44,14.44,0,0,0,6.83,1.86c8.23,0,14.91-7.29,14.91-15.53A14.9,14.9,0,0,0,302.43,79.92Z"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-user-management-remove-customer-2.svg b/bcs/images/bcs-user-management-remove-customer-2.svg
new file mode 100644
index 0000000000..d6e01e0d1e
--- /dev/null
+++ b/bcs/images/bcs-user-management-remove-customer-2.svg
@@ -0,0 +1,150 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #55d2f6;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3, .cls-7 {
+        fill: #fff;
+      }
+
+      .cls-4, .cls-5, .cls-8 {
+        fill: none;
+      }
+
+      .cls-4, .cls-5, .cls-6 {
+        stroke: #556a8a;
+      }
+
+      .cls-4, .cls-5, .cls-6, .cls-7, .cls-8 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-5 {
+        stroke-linecap: round;
+      }
+
+      .cls-6 {
+        fill: #e5e5e5;
+      }
+
+      .cls-7, .cls-8 {
+        stroke: #a80000;
+      }
+    </style>
+  </defs>
+  <title>bcs-user-management-remove-customer-2</title>
+  <g id="ICONS">
+    <g>
+      <rect class="cls-1" x="144" y="115" width="144" height="8"/>
+      <polygon class="cls-2" points="237.51 113 192.28 113 187.06 117 242.72 117 237.51 113"/>
+      <polygon class="cls-2" points="217.57 113.94 211.47 113.94 212.69 97.75 216.35 97.75 217.57 113.94"/>
+      <rect class="cls-3" x="150" y="28" width="132" height="72" rx="4" ry="4" transform="translate(432 128) rotate(180)"/>
+      <path class="cls-1" d="M281.45,44V32.57A4.71,4.71,0,0,0,276.61,28H154.4a4.71,4.71,0,0,0-4.84,4.57V44Z"/>
+      <rect class="cls-4" x="150" y="28" width="132" height="72" rx="4" ry="4" transform="translate(432 128) rotate(180)"/>
+    </g>
+    <g>
+      <g>
+        <g>
+          <rect class="cls-2" x="177" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="183" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="189" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="195" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="201" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="231" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="231" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="237" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="74" width="4" height="4"/>
+        </g>
+      </g>
+      <g>
+        <g>
+          <rect class="cls-2" x="177" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="183" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="189" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="195" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="201" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="231" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="86" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="86" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="86" width="4" height="4"/>
+        </g>
+      </g>
+    </g>
+    <g>
+      <line class="cls-5" x1="117" y1="69" x2="140.66" y2="69"/>
+      <polygon class="cls-2" points="135.02 75.95 133.86 74.71 140 69 133.86 63.29 135.02 62.05 142.5 69 135.02 75.95"/>
+    </g>
+    <g>
+      <line class="cls-5" x1="305.5" y1="69" x2="329.16" y2="69"/>
+      <polygon class="cls-2" points="323.52 75.95 322.36 74.71 328.5 69 322.36 63.29 323.52 62.05 331 69 323.52 75.95"/>
+    </g>
+    <g>
+      <circle class="cls-6" cx="94.5" cy="55" r="18"/>
+      <path class="cls-6" d="M67,100a27.5,27.5,0,0,1,55,0"/>
+    </g>
+    <circle class="cls-7" cx="282" cy="68" r="17"/>
+    <line class="cls-8" x1="293" y1="80" x2="269" y2="56"/>
+  </g>
+</svg>
diff --git a/bcs/index.md b/bcs/index.md
index 867e2c8492..01f7f2e27b 100644
--- a/bcs/index.md
+++ b/bcs/index.md
@@ -1 +1,964 @@
-# Placeholder
\ No newline at end of file
+--- 
+layout: HubPage
+hide_bc: true
+author: CelesteDG
+ms.author: celested
+ms.topic: hub-page
+ms.localizationpriority: high
+audience: microsoft-business 
+title: Microsoft 365 Business documentation and resources
+description: Learn about the product documentation and resources available for Microsoft 365 Business partners, IT admins, information workers, and business owners.
+---
+<div id="main" class="v2">
+    <div class="container">
+        <ul class="cardsY panelContent featuredContent">
+            <li>
+                <a href="http://www.microsoft.com/en-us/microsoft-365/business" target="_blank">
+                    <div class="cardSize">
+                        <div class="cardPadding">
+                            <div class="card">
+                                <div class="cardImageOuter">
+                                    <div class="cardImage">
+                                        <img data-hoverimage="/media/common/ih_learn-about.svg" src="/media/common/ih_learn-about.png" alt="Learn about Microsoft 365 Business" />
+                                    </div>
+                                </div>
+                                <div class="cardText">
+                                    <span class="likeAnH3">Learn about<br />Microsoft 365 Business</span>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </a>
+            </li>
+            <li>
+                <a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364" target="_blank">
+                    <div class="cardSize">
+                        <div class="cardPadding">
+                            <div class="card">
+                                <div class="cardImageOuter">
+                                    <div class="cardImage">
+                                        <img data-hoverimage="/media/common/ih_tools.svg" src="/media/common/ih_tools.png" alt="Get started using Microsoft 365 Business" />
+                                    </div>
+                                </div>
+                                <div class="cardText">
+                                    <span class="likeAnH3">For Partners and IT admins:<br />Get started with Microsoft 365 Business</span>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </a>
+            </li>
+        </ul>
+    </div>
+    <div class="container">
+        <h1>Microsoft 365 Business documentation and resources</h1>
+        <ul class="pivots">
+            <li>
+                <a href="#partner-it">Partner/IT admin</a>
+                <ul id="partner-it">
+                    <li>
+                        <a data-default="true" href="#getstarted">Get started</a>
+                        <ul id="getstarted" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Learn how you can bring together the best-in-class productivity and collaboration capabilities of Office 365 with device management and security solutions to safeguard business data for small and midsize businesses (SMB).</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="http://www.microsoft.com/en-us/microsoft-365/business" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-learn-about-1.svg" alt="Learn more about Microsoft 365 Business" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Why Microsoft 365 Business?</h3>
+                                                    <p>Learn how Microsoft 365 Business can empower your team, safeguard your business, and simplify IT management with a single solution.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="support/microsoft-365-business-faqs.md" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-faq-2.svg" alt="Browse the list of frequently asked questions" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Microsoft 365 Business FAQ</h3>
+                                                    <p>Browse our list of Frequently Asked Questions.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-get-started-1.svg" alt="Get started with Microsoft 365 Business" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Get started with Microsoft 365 Business</h3>
+                                                    <p>Learn about Microsoft 365 Business, how to purchase it for your customer, and follow the setup instructions.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#user-mgmt">User management</a>
+                        <ul id="user-mgmt" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Manage customers/users in your organization.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/96153102-1db1-4df8-bca5-38cea80b65ce" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-user-management-add-customer-1.svg" alt="Add a new user and assign licenses" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Add a new customer/user</h3>
+                                                    <p>Onboarding a new user? Use the admin center to add a new user and assign licenses.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/d5155593-3bac-4d8d-9d8b-f4513a81479e" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-user-management-remove-customer-2.svg" alt="Follow the links to remove a customer/user" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Remove a customer/user</h3>
+                                                    <p>Need to remove a user? You'll need to <a href="https://support.office.com/article/80bdae57-f8bc-4e40-a58c-956007117ecb">remove company data from devices</a> and <a href="https://support.office.com/article/c4db6caf-74df-4734-b1dd-53e371c7a3c3">reset Windows 10 devices to their factory settings</a>.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#device-mgmt">Device management</a>
+                        <ul id="device-mgmt" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Find help on managing your organization's devices from the Microsoft 365 Business admin center.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/ed34fff3-2881-4ed4-9906-1ba6bb8dd804" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-prepare-office-1.svg" alt="Prepare for Office client installation" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Prepare for Office client installation</h3>
+                                                    <p>Use Microsoft 365 Business to automatically install the 32-bit Office apps to Windows 10 computers and keep them current with updates.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/cbc6bfe5-565a-4fb8-95f0-b06e7b74ac46" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-install-2.svg" alt="Install or uninstall Office on Windows 10 devices" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Automatically install or uninstall Office on Windows 10 devices</h3>
+                                                    <p>Find out how to quickly and easily install Office on Windows 10 PCs from the Microsoft 365 Business admin center.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/80bdae57-f8bc-4e40-a58c-956007117ecb" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-remove-3.svg" alt="Remove company data from devices" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Remove company data from devices</h3>
+                                                    <p>Use Microsoft 365 Business to remove company data that your users have installed on their devices.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/c4db6caf-74df-4734-b1dd-53e371c7a3c3" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-reset-windows-4.svg" alt="Reset Windows 10 devices to their factory settings" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Reset Windows 10 devices to their factory settings</h3>
+                                                    <p>Learn how to perform a factory reset to revert a Windows 10 device to its original settings.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#policies">Policies</a>
+                        <ul id="policies" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Configure app management and device policies for your organization.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/bd66c26c-73a4-45a8-8642-3ea4ee7cd89d" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-policies-set-device-config-1.svg" alt="Set device configurations for Windows 10 PCs" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Set device configurations for Windows 10 PCs</h3>
+                                                    <p>Learn how to create, edit, or delete an app management policy in Microsoft 365 Business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/6b70fa27-d171-4593-8ecf-f78bb4ed2e99" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-policies-view-policies-2.svg" alt="View policies and devices" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>View policies and devices</h3>
+                                                    <p>Use the Microsoft 365 Business admin center to configure the policies and devices for your organization.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#migration">Migration</a>
+                        <ul id="migration" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>See these articles if you've got a pre-existing setup and you're deploying Microsoft 365 Business.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="#">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-office-migration-1.svg" alt="Identity integration" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Migrate from another Office 365 SKU to Microsoft 365 Business</h3>
+                                                    <p>Coming soon</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/365-1b3b5318-6977-42ed-b5c7-96fa74b08846" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-identity-manager.svg" alt="Identity integration" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Identity migration with Azure AD Connect</h3>
+                                                    <p>Got on-premises AD and plan to move your organization’s identity management to the cloud? Do a one-time sync using Azure AD Connect.<a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">Minimal hybrid migration</a>.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-identity-manager.svg" alt="Identity integration" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Identity migration with minimal hybrid migration</h3>
+                                                    <p>Or, if you have Exchange servers and plan to also migrate email to the cloud, do a one-time sync using minimal hybrid migration.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-upgrade-2.svg" alt="Upgrade to Windows 10" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Upgrade to Windows 10</h3>
+                                                    <p>Set up Windows 10 PCs for Microsoft 365 Business users.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>                                        
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#troub-support">Troubleshooting and support</a>
+                        <ul id="troub-support" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Looking for help or can't find what you need? Try these resources.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="https://www.microsoft.com/solution-providers/search" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-find-partner-1.svg" alt="Find a Microsoft-certified service provider" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Find a Partner</h3>
+                                                    <p>Visit the Microsoft Partner Center to locate a Microsoft-certified solution provider who can help you locally or remotely. </p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364#bkmk_support" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-technical-support-4.svg" alt="Submit a technical support request for Microsoft 365 Business" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Microsoft Technical Support</h3>
+                                                    <p>Submit a technical support request for Microsoft 365 Business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li> 
+                            <li>
+                                <a href="#">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-troubleshooting-3.svg" alt="Find solutions for common Microsoft 365 Business issues" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Troubleshoot problems - Coming soon</h3>
+                                                    <p>Find solutions for common Microsoft 365 Business issues.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>                          
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#adv-mgmt">Advanced management</a>
+                        <ul id="adv-mgmt" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>See these links for more in-depth information about these products and features.</p>
+                                </div>
+                            </li>
+                            <!--
+                            <li>
+                                <a href="https://docs.microsoft.com/intune">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-intune-1.svg" alt="Microsoft Intune" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Microsoft Intune</h3>
+                                                    <p>Need to update other policies or take advantage of the full Intune capabilities? </p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            -->
+                            <li>
+                                <a href="https://docs.microsoft.com/en-us/windows/windows-10/" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-windows10-2.svg" alt="Learn more about Windows 10" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Windows 10</h3>
+                                                    <p>Find out what's new, how to apply custom configurations to devices, managing apps, deployment, and more.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://msdn.microsoft.com/partner-center/autopilot" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-auto-pilot-3.svg" alt="Use Windows AutoPilot to deploy Windows 10 devices" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Set up Windows 10 devices using Windows AutoPilot</h3>
+                                                    <p>Deploy Windows 10 devices using Windows AutoPilot from the Partner Center.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#general-admin">General administration</a>
+                        <ul id="general-admin" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Get help on the most common admin tasks in the Microsoft 365 Business admin center. The Microsoft 365 Business admin center is lot like the Office 365 admin center so the admin guidance we provide for Office 365 admin center also apply to Microsoft 365 Business.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-add-user-1.svg" alt="Add a user" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Add a user</h3>
+                                                    <p>Add user accounts in the Microsoft 365 Business admin center so people in your organization can sign in and access Office 365 for business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/365-2d2fa996-b760-411d-a5cc-190d63f13207" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-add-domain-2.svg" alt="Add a domain and other FAQs about domains" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Add a domain</h3>
+                                                    <p>See this article to find answers to Frequently Asked Questions about domains in Microsoft 365 Business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <!--
+                            <li>
+                                <a href="#">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management- management-4_placeholder.svg" alt="Manage changes" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Change management</h3>
+                                                    <p>tbd</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            -->
+                            <li>
+                                <a href="https://support.office.com/article/74a1ef8b-3844-4d08-9980-9f8f7a36000f" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management- add-group-5.svg" alt="Add a group" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Add a group</h3>
+                                                    <p>Create or delete groups, add or remove members in a group, and customize how they work.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/7a5d073b-7fae-4aa5-8f96-9ecd041aba9c" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-password-3.svg" alt="Manage passwords" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Password management</h3>
+                                                    <p>Learn how to <a href="https://support.office.com/article/5bc3f460-13cc-48c0-abd6-b80bae72d04a">reset passwords</a>, <a href="https://support.office.com/article/0F54736F-EB22-414C-8273-498A0918678F">set the password expiration policy for your organization</a>, and more.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/ea7bf1b2-1c2f-477f-a813-313e3ce0d896" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management- billing-7.svg" alt="Billing" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Billing</h3>
+                                                    <p>Get admin help with billing in Microsoft 365 Business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/a27f1a99-3557-4f85-9560-a28e3d822a40" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management- reports-9.svg" alt="Reports" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Reports</h3>
+                                                    <p>Get groups report to see the activity overview across products in your organization.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-settings-8.svg" alt="Settings" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Common management tasks</h3>
+                                                    <p>Check these quick links for the most common admin tasks in Office 365.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Not finding the info that you need? Check out the <a href="https://support.office.com/article/17d3ff3f-3601-466e-b5a1-482b31cfb791" target="_blank">Office 365 Admin Help</a> for more info. </p>
+                                </div>
+                            </li>
+                        </ul>
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <a href="#i-worker">Information worker</a>
+                <ul id="i-worker">
+                    <li>
+                        <a data-default="true" href="#i-worker-1">Set up devices</a>
+                        <ul id="i-worker-1" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Employees and other users can follow the guidance here to set up devices.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/d868561b-d340-4c04-a973-e2575d7f09bc" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-iw-devicesetup-setup-1.svg" alt="Set up mobile devices for Microsoft 365 Business users" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Set up mobile devices for Microsoft 365 Business users</h3>
+                                                    <p>Find out how to install Office on an iPhone or an Android phone. After you follow these steps, your work files created in Office apps will be protected by Microsoft 365 Business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/eb8244aa-a302-481a-b2b5-d34e88b18ec7" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding"> 
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-iw-devicesetup-move-files-2.svg" alt="Move files to OneDrive for Business" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Move files to OneDrive for Business</h3>
+                                                    <p>Optional. Use OneDrive for Business or a third-party tool to move files associated with your Windows profile.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-windows10pc-3.svg" alt="Set up Windows 10 PCs" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Set up Windows 10 PCs</h3>
+                                                    <p>Join your Windows 10 PC to your organization's Azure Active Directory and sync your device to start using your Microsoft 365 Business account.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management- install-4.svg" alt="Install Windows for Microsoft 365 Business users" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Install Windows for Microsoft 365 Business users</h3>
+                                                    <p>Setting up new PCs? Install Windows for Microsoft 365 Business users.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        <a data-default="true" href="#i-worker-2">Product help</a>
+                        <ul id="i-worker-2" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>When you're using Office or Windows and have a question about how to do something, you can search the product help for info. </p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="http://support.office.com" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="images/bcs-information-product-help-office.svg" alt="Office help and training" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Office help and training</h3>
+                                                    <p>Discover everything you need to know about Office products.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="http://support.microsoft.com/products/windows" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="images/bcs-information-product-help-windows10.svg" alt="Windows help" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Windows 10 help</h3>
+                                                    <p>Get help, how-to, and other info for all things Windows.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <a href="#bus-owner">Business owner</a>
+                <ul id="bus-owner">
+                    <li>
+                        <a data-default="true" href="#bus-owner-1">Get started</a>
+                        <ul id="bus-owner-1" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Learn about Microsoft 365 Business and find out how you can start using it for your business.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="http://www.microsoft.com/en-us/microsoft-365/business" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-learn-about-1.svg" alt="Learn more about Microsoft 365 Business" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Learn about Microsoft 365 Business</h3>
+                                                    <p>Want to learn more about Microsoft 365 Business and wondering whether it's the right solution for your business? Start here. </p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="support/microsoft-365-business-faqs.md" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-faq-2.svg" alt="Browse the list of frequently asked questions" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Microsoft 365 Business FAQ</h3>
+                                                    <p>Browse our list of Frequently Asked Questions.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://www.microsoft.com/solution-providers/search" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-find-partner-1.svg" alt="Find a Microsoft-certified service provider" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Find a Partner</h3>
+                                                    <p>Visit the Microsoft Partner Center to locate a Microsoft-certified solution provider who can help you locally or remotely. </p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <!--
+                    <li>
+                        <a data-default="true" href="#bus-owner-2">Placeholder 2</a>
+                        <ul id="bus-owner-2" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>TBD - Introductory text</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="#">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="/media/common/placeholder.svg" alt="" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Card 1</h3>
+                                                    <p>tbd</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="#">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="/media/common/placeholder.svg" alt="" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Card 2</h3>
+                                                    <p>tbd</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            -->
+                        </ul>
+                    </li>
+                </ul>
+            </li>
+        </ul>
+    </div>
+</div>
diff --git a/bcs/support/microsoft-365-business-faqs.md b/bcs/support/microsoft-365-business-faqs.md
new file mode 100644
index 0000000000..9626e4deb5
--- /dev/null
+++ b/bcs/support/microsoft-365-business-faqs.md
@@ -0,0 +1,334 @@
+--- 
+title: Microsoft 365 Business Frequently Asked Questions 
+description: Find answers to the most frequently asked questions about Microsoft 365 Business, a new solution designed for small and midsize businesses (SMB). 
+author: CelesteDG 
+ms.author: celested 
+ms.topic: article 
+ms.prod: microsoft-365-business
+ms.localizationpriority: high
+audience: microsoft-business 
+keywords: Microsoft 365 Business, Microsoft 365, SMB, FAQ, frequently asked questions, answers
+ms.date: 08/04/2017
+---
+
+# Microsoft 365 Business Frequently Asked Questions
+
+## Introduction
+
+What is Microsoft 365 Business? 
+--------------------------------
+
+Microsoft 365 Business is a new solution designed for small and midsize businesses (SMB), bringing together the best-in-class productivity and collaboration capabilities of Office 365 with device management and security solutions to safeguard business data.
+
+Microsoft 365 Business enables you to:
+
+-   **Create your best with tools like** Word, Excel, PowerPoint, Outlook, OneNote and Access.
+-   **Be productive from anywhere,** with business-class email from Outlook and access to cloud files with OneDrive for Business.
+-   **Conduct online meetings and get instant messaging** with Skype for Business.
+-   **Collaborate in real time with the chat-based workspace** Microsoft Teams.
+-   **Safeguard your business** by enforcing malware protection for Windows devices, with Windows Defender.
+-   **Help protect your data and intellectual property** with App Protection for Office mobile apps on iOS and Android devices, and
+    Mobile Device Management (MDM) for Windows 10 PCs.
+-   **Save time and be protected** with consistent configuration across newly deployed PCs running Windows 10 Business and auto deployment
+    of Office 365 apps, provided by Windows AutoPilot.
+-   **Be secured and always up to date** with Office 365 updates and Windows 10.
+-   **Simply manage technology costs** in one subscription, with simple per user, per month pricing.
+
+Where can I find out more about Microsoft 365 Business? 
+--------------------------------------------------------
+
+Customers and partners can visit [http://www.microsoft.com/microsoft-365/business](http://www.microsoft.com/microsoft-365/business) where they can sign up to see a demo of Microsoft 365 Business in
+action. The preview will be accessible from the web site on August 2, 2017.
+
+Who should consider adopting Microsoft 365 Business? 
+-----------------------------------------------------
+
+Microsoft 365 Business was built for small and midsize customers that have little to no IT resources on staff and want best-in-class productivity and collaboration capabilities of Office 365 together with
+device management and security solutions that safeguard business data.
+
+How can I get Microsoft 365 Business for my business? 
+------------------------------------------------------
+
+Microsoft 365 Business may be purchased through a [Microsoft Partner](https://partnercenter.microsoft.com/en-us/pcv/search) or directly from
+[Microsoft](http://www.microsoft.com/microsoft-365/business). In choosing whether to purchase directly from Microsoft or via a Microsoft Partner, you should consider your on-staff capability and desire to
+maintain an IT infrastructure. A Microsoft Partner can help you deploy and manage your IT infrastructure including Microsoft solutions.
+
+How much will Microsoft 365 Business cost? 
+-------------------------------------------
+
+Microsoft 365 Business will be offered at USD\$20.00/mo./user based on an annual contract if purchased directly from Microsoft. When purchased through a Microsoft Partner, pricing can vary based on the services the
+partner provides and their pricing model for Microsoft 365 Business. There are no planned pricing discounts for government, education or non-profit organizations.
+
+How are customers billed for Microsoft 365 Business subscriptions? 
+-------------------------------------------------------------------
+
+When Microsoft 365 Business is purchased via a Microsoft Partner, the bill will come from that Partner and may include additional products and services outside of the subscription pricing. When purchased directly
+from Microsoft, the customer is billed by Microsoft.
+
+Is there a cap to how many Microsoft 365 Business seats a customer can have? 
+-----------------------------------------------------------------------------
+
+Microsoft 365 Business was designed for small to medium sized businesses with low to medium IT complexity requirements. Customers may purchase up to 300 Microsoft 365 Business licenses for their organization. Depending
+on their organization’s IT requirements, they may add Microsoft 365 Enterprise licenses to the same environment.
+
+When considering an environment consisting of multiple subscription types, customers should work with their trusted IT advisors to determine how best to manage and secure the various subscriptions as Microsoft 365
+Business and Microsoft 365 Enterprise use different capabilities to secure and manage applications and data.
+
+Can I combine Microsoft 365 Business with other Microsoft subscription offerings? 
+----------------------------------------------------------------------------------
+
+Yes, customers can combine their Microsoft 365 Business subscriptions with plans and add-ons from Azure, Dynamics and Office 365.
+
+Does everyone in my business required to have a Microsoft 365 Business subscription? 
+-------------------------------------------------------------------------------------
+
+No, not everyone needs a Microsoft 365 Business subscription, although the security and management benefits are available only to those users with devices managed with a Microsoft 365 Business subscription.
+
+Standardizing an IT environment serves to help reduce maintenance and security costs over time and is a state that businesses should strive to attain. However, we recognize that some small and medium size customers
+update their software primarily when they upgrade their hardware, over an extended period of time. Businesses can deploy Microsoft 365 Business to part of their organization, but for best protection of sensitive
+business data and consistent collaboration experiences, deployment to all users is recommended.
+
+How can I know if the hardware and software I run today is compatible with Microsoft 365 Business? 
+---------------------------------------------------------------------------------------------------
+
+If the hardware you run today runs Windows 7 Professional or later, it likely meets the minimum requirements for Microsoft 365 Business.
+Certain Windows 10 features such as Cortana, Windows Hello and multi-touch require specific hardware that is only available on newer PCs. See the [Windows 10 Pro system
+requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications) for additional details.
+
+Existing desktop (Win32) application compatibility is strong in Windows 10, with most existing applications working without any changes. Customers and their trusted IT advisors should read the recommended
+application testing process for [Windows 10 compatibility](https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-compatibility#recommended-application-testing-process)
+and review the [Office system requirements](https://products.office.com/en-us/office-system-requirements#subscription-plans-section) to ensure a smooth transition to Microsoft 365 Business.
+
+What is Windows 10 Business? 
+-----------------------------
+
+Windows 10 Business is a set of cloud-services and device management capabilities that complement Windows 10 Pro and enable the centralized management and security controls of Microsoft 365 Business. Windows 10 Business also comes with Windows AutoPilot, a service that streamlines the deployment of new Windows 10 PCs. If you have devices that are licensed for Windows 7, 8 and 8.1 Professional, Microsoft 365 Business provides an upgrade to Windows 10 Pro which is the prerequisite for deploying Windows 10 Business.
+
+How does Microsoft 365 Business help support my company’s Bring Your Own Device (BYOD) policy? 
+-----------------------------------------------------------------------------------------------
+
+Many employees prefer to use their own mobile phones or tablets to access personal and work information rather than carrying multiple devices for each purpose. The use of personal devices for work, while commonplace, increases the risk that business information could end up in the wrong hands. Many competing mobile data protection solutions require users to switch to a specific mode on their device or use another complex mechanism that users may find intrusive and therefore avoid using.
+
+Microsoft 365 Business offers customers a simple but powerful means of enabling employees to use their personal devices for work while providing the business with the ability to prevent those devices from accessing, retaining and/or sharing business information. More specifically:
+
+-   **App Protection for Office mobile** helps **apps** protect Office data, including email, calendar, contacts, and documents on iOS and Android mobile devices, by enforcing policies such as automatically deleting business data after a prescribed amount of time of not connecting to the service, requiring that information is stored only to OneDrive for Business, requiring a PIN/fingerprint verification to access Office apps, and preventing company data from being copied from an Office app into personal apps.
+-   **Mobile Device Management** (MDM) for Windows 10 devices allows businesses to choose to set and enforce capabilities such as Windows Defender protection for malware, automatic updates, and turning off screens after a prescribed amount of time. In addition, lost or stolen Windows 10 devices can be completely wiped of business applications and data through the Admin center.
+
+How does Microsoft 365 Business help protect PCs in my organization from malicious attacks? 
+--------------------------------------------------------------------------------------------
+
+PCs managed with Microsoft 365 Business are protected with Windows Defender, which is the No. 1 antivirus feature on Windows 10, protecting more computers against viruses, malware, spyware, and other threats than
+any other solution. With Microsoft 365 Business, businesses can ensure Windows Defender protection is running and always up to date on all their Windows 10 devices.
+
+### What's the difference between Office 365 Business Premium, Microsoft 365 Business and Microsoft 365 Enterprise? 
+
+Microsoft has a variety of productivity and security management offerings that small to medium-sized customers may consider when upgrading their desktop and device infrastructure, each bringing increasingly powerful features and functionality.
+
+**Office 365 Business Premium** delivers best-in-class productivity with Office 365 apps and services but does not include the application protection and device management capabilities of Microsoft 365 Business.
+
+**Microsoft 365 Business** combines Office 365 apps and services with mobile application management and Windows 10 Pro to enable remote management and help protect devices against viruses and malware. It includes a simplified management console through which device and data policies may be administered. Many small to midsize businesses can be best served with Microsoft 365 Business, although those in highly regulated industries may require more advanced functionality provided by Microsoft 365 Enterprise plans (E3 and E5).
+
+**Microsoft 365 Enterprise** is a set of licensing plans that offer increased levels of mobility and security management over Microsoft 365 Business and are designed for enterprise customers and those customers that are required or regulated to provide the highest level of protection for their data. In addition, Microsoft 365 Business plans provide additional functionality including business intelligence and analytics tools.
+
+Can I switch my Office 365 plan to Microsoft 365 Business? 
+-----------------------------------------------------------
+
+Yes, customers may switch their plans from a qualifying Office 365 plan to Microsoft 365 Business is generally available. Depending on the customer’s current plan there may be a decrease or increase in monthly charges.
+
+In what regions will Microsoft 365 Business be available? 
+----------------------------------------------------------
+
+The Microsoft 365 Business will be available to all partners and customers where Office 365 is available. [See the list of Office 365 international availability for languages, countries and regions](https://products.office.com/en-us/business/international-availability).
+
+## Public Preview 
+
+Who has access to the Microsoft 365 Business preview? 
+------------------------------------------------------
+
+The Microsoft 365 Business preview is available to new customers as well as existing Office 365 subscribers in all [markets where Office 365 is currently available](https://products.office.com/en-us/business/international-availability).
+
+I’m an existing Office 365 customer. Can I access the Microsoft 365 Business preview? 
+-------------------------------------------------------------------------------------
+
+Microsoft 365 Business can be used with existing Office 365 Business Premium subscriptions. Office 365 Business Premium subscribers that move to Microsoft 365 Business would not experience any end-user impacts (re-install Office, lose functionality, etc) upon assignment of the license. Customers running Office 365 Enterprise E3/E5 may experience end user impacts if they move to Microsoft 365 Business, it is not a recommended transition path at this time.
+
+When will Microsoft 365 Business preview be available? 
+-------------------------------------------------------
+
+The Microsoft 365 Business preview will be available starting on August 2, 2017.
+
+In what regions is the Microsoft 365 Business preview available? 
+-----------------------------------------------------------------
+
+The Microsoft 365 Business preview is available to all partners and customers where Office 365 is available. [See the list of Office 365 international availability for languages, countries and regions](https://products.office.com/en-us/business/international-availability).
+
+When will Microsoft 365 Business be generally available? 
+---------------------------------------------------------
+
+Microsoft 365 Business is expected to be generally available toward the end of the calendar year.
+
+Is there a limit to how many users can experience the preview? 
+---------------------------------------------------------------
+
+Each organization can up to 300 users on Microsoft 365 Business during the preview.
+
+What should customers and partners know before running Microsoft 365 Business within their organization? 
+---------------------------------------------------------------------------------------------------------
+
+Customers that wish to experience the complete capabilities of Microsoft 365 Business must be running Windows 7, 8.1 or 10 Pro\* on their existing desktops. Customers who use on-premises Active Directory must switch to cloud identity and management as part of their deployment. Existing Windows 10 Pro PCs should be running Creators Update if they have not already done so.
+
+\*Devices running Windows 7 or 8.1 Pro are eligible for an upgrade to
+Windows 10 Pro within the Microsoft 365 Business preview.
+
+Is there any charge for the Microsoft 365 Business preview? 
+------------------------------------------------------------
+
+No, Microsoft will not charge for the preview. If you work with an outside [IT partner](https://partnercenter.microsoft.com/en-us/pcv/search) and require assistance to deploy Microsoft 365 Business preview, they may charge you for their deployment services and assistance. At the end of the preview customers may convert to a paid subscription to continue using Microsoft 365 Business.
+
+I’m an existing Office 365 customer. Will I be charged for an Office 365 subscription while I am using the Microsoft 365 Business preview?
+------------------------------------------------------------------------------------------------------------------------------------------
+
+The Microsoft 365 Business preview is free and does not require an existing Office 365 Business Premium subscription. Current Office 365 customers will continue to be billed for active Office 365 subscriptions that are not associated with the Microsoft 365 Business preview.
+
+What is the best way to deploy Microsoft 365 Business in my organization? 
+--------------------------------------------------------------------------
+
+Partner-assisted deployment is the recommended way to deploy Microsoft 365 Business preview. Contact your Microsoft Partner and ask them if they are participating in the Microsoft 365 Business Preview Trial. Your Partner is well-equipped to help customers understand their options and make the best recommendations for deploying Microsoft 365 Business preview in your organization.
+
+If you do not have a Microsoft partner, you can find one [here](https://partnercenter.microsoft.com/en-us/pcv/search).
+
+## Deployment 
+
+What should customers consider when planning a Microsoft 365 Business deployment? 
+----------------------------------------------------------------------------------
+
+The most direct path to a successful Microsoft 365 Business deployment is to engage with a Microsoft Partner. They have extensive training and experience with a wide variety of customer scenarios and are best equipped to understand your environment and needs. Customers that have experienced IT on staff can use the [Microsoft 365 Business Getting Started](https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364) to assist them in their Microsoft 365 Business deployment.
+
+Does Microsoft 365 Business include the full capabilities of Microsoft Intune? 
+-------------------------------------------------------------------------------
+
+Microsoft 365 Business includes a robust set of mobile app management capabilities powered by Microsoft Intune. These are a subset of Intune features, specifically chosen to meet the needs of SMBs and organized to be easily managed via a simplified administration experience. If a company requires the full capabilities of Intune, they can purchase a Microsoft 365 Enterprise plan.
+
+Does Microsoft 365 Business allow customers to manage Macs? 
+------------------------------------------------------------
+
+The security and management capabilities of Microsoft 365 Business pertain to iOS, Android mobile devices, and Windows PCs.
+
+What is Windows AutoPilot? 
+---------------------------
+
+Windows AutoPilot is a service that streamlines the deployment of new Windows 10 PCs. This process can be done when the end-user logs on to Microsoft 365 Business for the first time— without IT ever touching the device—by leveraging centralized management controls of Microsoft 365 Business. You can also use Windows AutoPilot for existing PCs that are running Windows 10 Professional Creators Update and have been factory reset. Details about Windows AutoPilot can be found in [this June blog post](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-AutoPilot/).
+
+## Compatibility 
+
+Can I add Office 365 E5 add-ons to Microsoft 365 Business? 
+-----------------------------------------------------------
+
+All the add-ons that can be added to Office 365 Business Premium can be added to Microsoft 365 Business. This means that you can purchase Advanced Threat Protection, Advanced Security Management, Customer Lockbox, Advanced eDiscovery, MyAnalytics, PowerBI Pro, and PSTN Conferencing.
+
+Can I add Cloud PBX and PSTN Calling plans to Microsoft 365 Business? 
+----------------------------------------------------------------------
+
+At this time, these capabilities are reserved for customers who have more advanced needs. Customers who require Cloud PBX or PSTN Calling plans should look at Microsoft 365 Enterprise offerings.
+
+Can I use add on Archiving or additional storage to Microsoft 365 Business? 
+----------------------------------------------------------------------------
+
+Yes, you can add on additional archiving or storage to Microsoft 365 Business.
+
+Can Microsoft 365 Business customers use Windows Defender Advanced Threat Protection? 
+--------------------------------------------------------------------------------------
+
+No, customers that require Windows Defender Advanced Threat Protection need either Windows 10 Enterprise E5 or Microsoft 365 Enterprise E5.
+
+Can I use Windows Information Protection with Microsoft 365 Business? 
+----------------------------------------------------------------------
+
+Yes, Windows Information Protection (WIP) is a feature of Windows 10 Pro and helps businesses prevent accidental leaks by restricting user and app access to business files based on policies you define. Your business data is protected no matter where it lives on your devices—without affecting your user experience. Microsoft 365 Business includes controls to ensure Windows Information Protection is properly configured and automatically deployed to end-user devices.
+
+Can customers use Microsoft 365 Business with on-premises Active Directory? 
+----------------------------------------------------------------------------
+
+To realize the full value of Windows 10, Windows 10 PCs need to be joined to Azure Active Directory. You may use Microsoft 365 Business with Windows 10 devices
+joined to on-premises Active Directory but it is not recommended because you won’t be able to enforce policies from the Microsoft 365 Business Admin console.
+
+Can customers create hosted Windows 10 VMs with a Microsoft 365 Business subscription? 
+---------------------------------------------------------------------------------------
+
+No, customers that require virtualization should purchase Windows 10 Enterprise or a Microsoft 365 Enterprise subscription.
+
+## Partner Opportunity 
+
+Where can I learn more about the opportunities and benefits in becoming a Microsoft Partner? 
+---------------------------------------------------------------------------------------------
+
+IT service providers that are not already Microsoft partners can learn more about the Microsoft Cloud Solution Provider program at
+[https://partner.microsoft.com/cloud-solution-provider](https://partner.microsoft.com/cloud-solution-provider).
+
+Where can I learn how to sell Microsoft 365 Business? 
+------------------------------------------------------
+
+Partners now selling Office 365 can use the same consultative selling methods to sell Microsoft 365 Business. In addition, we are introducing resources and training for your sales team to understand the customers’ existing desktop environment, Active Directory reliance, mobility and security needs to effectively communicate the full value of Microsoft 365 Business in a way that is relevant to the customer. Find these resources on the Office Partner portal at
+[http://partners.office.com](http://partners.office.com/).
+
+How can Microsoft 365 Business help partners increase the profitability? 
+-------------------------------------------------------------------------
+
+Microsoft 365 Business will help partners reduce costs through greater operational efficiencies and enhance revenue through the sale of additional services. The Forrester Research, Microsoft 365 Business Total Economic Impact (TEI) Study, June 2017 [(available on the partner portal)](http://partners.office.com/), demonstrates that Microsoft 365 Business will have positive impact on partner profitability.
+
+In the TEI study partners reported that with Microsoft 365 Business they
+expect:
+
+-   20%-point increase in \[one-time\] deployment and advisory services revenue
+-   10%-point increase in attach rate of managed services
+-   8%-point increase in consulting and \[ongoing\] managed services profit margins (from lower costs)
+
+What resources are available to partners to sell, deploy and support Microsoft 365 Business?
+
+Microsoft provides a wide selection of resources for CSP partners to market, sell, and support Microsoft 365 Business. They can be found at
+[http://partners.office.com](http://partners.office.com/).
+
+What up-sell opportunities does Microsoft 365 Business give partners? 
+----------------------------------------------------------------------
+
+Microsoft 365 Business allows partners to maintain their trusted advisor position with customers, by creating a solid and secure platform upon which to sell additional services, or upgrade existing products and services. Microsoft 365 Business provides an opportunity to have an upgrade discussion with customers now using Exchange Server, Exchange Online or Office 365 Business Essentials. Partners may also gain additional revenue from increased managed services and/or per-user
+support fees.
+
+With the new Windows AutoPilot feature included in Microsoft 365 Business, partners who have been reluctant to sell new Windows devices due to deployment logistics and costs may now find this opportunity much more attractive. Customers who are confident in the security of their onpremise and mobile devices are also more likely to invest in additional services, such as Dynamics 365.
+
+Should partners sell Microsoft 365 Business over other plans from Microsoft? 
+-----------------------------------------------------------------------------
+
+A Microsoft Cloud Solution Provider should always sell the plan that best suits its customer business needs and budget. For example, if a customer must comply with privacy and security regulations, a CSP may sell Microsoft 365 Business plus any add-ons that help the customer meet its requirements or may suggest the advanced security and management provided by Microsoft 365 Business E SKUs.
+
+I have devices that are not genuine; will Microsoft 365 Business make my devices genuine? 
+------------------------------------------------------------------------------------------
+
+No, Microsoft 365 Business does not make an otherwise non-genuine version of Windows, genuine. Microsoft 365 Business does provide an upgrade benefit allowing those customers running genuine Windows 7, 8 or 8.1 Pro to upgrade to the most recent, genuine version of Windows 10 Pro.
+
+How do partners make any money offering the Microsoft 365 Business preview to their customers? 
+-----------------------------------------------------------------------------------------------
+
+Partners can realize revenue opportunities by deploying Microsoft 365 Business preview and providing other managed services that support the solution.
+
+What is the exact name of the Microsoft 365 Business preview SKU and when will it be available? 
+------------------------------------------------------------------------------------------------
+
+The Microsoft 365 Business preview is called the Microsoft 365 Business Preview Trial and will be on August 2 CSP Price List.
+
+How can I convert a preview customer subscription to Microsoft 365 Business when it is generally available? 
+------------------------------------------------------------------------------------------------------------
+
+We will provide more information on converting Microsoft 365 Business preview customers to subscribers later.
+
+What support is available to CSP partners for the Microsoft 365 Business Preview? 
+----------------------------------------------------------------------------------
+
+The same support channels available to CSP partners today (premier support and advanced support program) have been trained on Microsoft 365
+Business and are ready to provide partners with support.
+
+What is the GDPR and how does Microsoft 365 Business help customers with their compliance obligations? 
+-------------------------------------------------------------------------------------------------------
+
+The General Data Protection Regulation (GDPR) is a comprehensive new privacy law that gives residents of the European Union (EU) greater control over their “personal data” and requires organizations to maintain the integrity of that personal data. The GDPR requires organizations that control, or process personal data tied to EU residents to only use third-party data processors that meet the GDPR’s requirements for personal data processing. In March 2017, Microsoft made
+available contractual guarantees that provide these assurances. Customers who have questions about how Microsoft can help them meet their additional GDPR obligations should learn about the advanced compliance and security capabilities available as add-ons (e.g. Azure Information Protection) and in other Suites (e.g. Microsoft 365 Enterprise E5). To learn more, visit [www.microsoft.com/gdpr](http://www.microsoft.com/gdpr).
\ No newline at end of file
diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md
index c0e8ff73af..4188a5ce94 100644
--- a/browsers/edge/Index.md
+++ b/browsers/edge/Index.md
@@ -6,7 +6,7 @@ ms.prod: edge
 ms.mktglfcycl: general
 ms.sitesec: library
 title: Microsoft Edge - Deployment Guide for IT Pros (Microsoft Edge for IT Pros)
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Microsoft Edge - Deployment Guide for IT Pros
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index c62e0d7b6a..097833b6a3 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -6,7 +6,7 @@ ms.prod: edge
 ms.mktglfcycl: explore
 ms.sitesec: library
 title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
@@ -656,7 +656,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
 ### ClearBrowsingDataOnExit
 - **Supported versions:** Windows 10, version 1703
 
-- **Supported devices:** Both
+- **Supported devices:** Desktop
 
 - **Details:**
 
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
index 0ce06c2d4f..e3c6a0b2d7 100644
--- a/browsers/edge/change-history-for-microsoft-edge.md
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -4,7 +4,7 @@ description: This topic lists new and updated topics in the Microsoft Edge docum
 ms.prod: edge
 ms.mktglfcycl: explore
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Change history for Microsoft Edge
diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md
index 1f3cf5ea43..4889826de3 100644
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: support
 ms.sitesec: library
 ms.pagetype: appcompat
 title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros)
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Use Enterprise Mode to improve compatibility
diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
index 25a4a724e7..8cb8912f67 100644
--- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
+++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
@@ -6,7 +6,7 @@ ms.prod: edge
 ms.mktglfcycl: support
 ms.sitesec: library
 ms.pagetype: appcompat
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Browser: Microsoft Edge and Internet Explorer 11
diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md
index d423c37bd4..86a1452f93 100644
--- a/browsers/edge/hardware-and-software-requirements.md
+++ b/browsers/edge/hardware-and-software-requirements.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: support
 ms.sitesec: library
 ms.pagetype: appcompat
 title: Microsoft Edge requirements and language support (Microsoft Edge for IT Pros)
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Microsoft Edge requirements and language support
diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md
index 17ac7d1722..3a25ecae1e 100644
--- a/browsers/edge/security-enhancements-microsoft-edge.md
+++ b/browsers/edge/security-enhancements-microsoft-edge.md
@@ -5,7 +5,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Security enhancements for Microsoft Edge
diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
index 11347ac764..4354799a3d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: How to use Group Policy to install ActiveX controls.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
index 0f99fc6a7b..ef4614e5b5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to add employees to the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
index 9660d3d146..47e96aaed6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index 327a105fef..6c4f7048d3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
index 1140d08486..46952fd95a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index 3ee1358e16..0e8d8237e3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
index 137b689b2f..a88856b77f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Administrative templates and Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
index 0b6cee7d40..8c0981e62e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
index 3ab6081d7c..4dd48ddc84 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: networking
 description: Auto configuration and auto proxy problems with Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
index 5b02b0d37f..4eca33dad5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: networking
 description: Auto configuration settings for Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
index c454b9eb42..9ac1090d30 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: networking
 description: Auto detect settings Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
index a9ac089edf..4fc46f4332 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: networking
 description: Auto proxy configuration settings for Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
index 36de09f8ce..b0262d2a24 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: performance
 description: Browser cache changes and roaming profiles
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index aab097bf2f..c97e0694da 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
 description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
 ms.mktglfcycl: deploy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
index 846ede6863..3f4d25d63c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
@@ -1,13 +1,15 @@
 ---
-localizationpriority: low
+title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
+description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
+ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
+ms.prod: ie11
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
-description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
-author: eross-msft
-ms.prod: ie11
-ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
-title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
 ms.sitesec: library
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+ms.localizationpriority: low
 ---
 
 
@@ -23,7 +25,7 @@ ms.sitesec: library
 
 You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
 
-The information in this topic only covers HTTP protocol. We strongly recommend that you use HTTP protocol instead of file protocol due to increased performance.
+The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
 
 **How Internet Explorer 11 looks for an updated site list**
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
index ccf72489f1..afc154053d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Choose how to deploy Internet Explorer 11 (IE11)
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index 9c4a55c2bd..82329fbc99 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Choose how to install Internet Explorer 11 (IE11)
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index d4e3ae973c..d253c6156f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
index 0c2fcabf27..f2e96ee768 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
index dee66ac9d8..94d579eef2 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to create a change request within the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
index 51f61a1b66..7766c1a797 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Create packages for multiple operating systems or languages
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
index 7a8162ee05..50a6b4da46 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Customize Internet Explorer 11 installation packages
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 267c606f8b..6407c0ac49 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 description: Delete a single site from your global Enterprise Mode site list.
 ms.pagetype: appcompat
 ms.mktglfcycl: deploy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
index 846a265850..147018d84a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
index 6654729ec6..7b2497adb5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Deploy Internet Explorer 11 using software distribution tools
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index 708fccaaa2..284c39cf4a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index e624e6db2e..4b095c080f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
index 004a42cb19..3fbdaa6e0f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
index 68b09c2320..42b9794117 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Enable and disable add-ons using administrative templates and group policy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
index 971612c41b..b94efcee8d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Enhanced Protected Mode problems with Internet Explorer
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
index 1d96ecb7cf..fc72177321 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 16c87cb775..f1ef88dc96 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index 5c003a24c1..b91676a518 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
index 6cbc411a30..58dccc1956 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index c8d09c6157..2c2394be4a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
index cb34e15ac9..cd6d84a04f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index eed0b6ac55..098689f0fc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Overview about Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
index 2a7f645030..8aca2f5360 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
index c7f5e51beb..f2ef7bb7bd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
index 4e9b26b3fc..6f5e1b4a4e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Group Policy, the Local Group Policy Editor, and Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
index 763f3e3eec..54bb62092b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Group Policy suggestions for compatibility with Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
index 37e54ed67e..1c208097c9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Overview of the available Group Policy management tools
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
index 4d460e76ab..680bd630f4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Info about Group Policy preferences versus Group Policy settings
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index 037d8a5da7..ec141c7c9e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Links to troubleshooting topics and log files that can help address Group Policy problems with Internet Explorer 11.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
index f30e991051..f757093789 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Instructions about how to create and configure shortcut preference extensions to file system objects, URLs, and shell objects.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
index c44db29784..ccf390f9e1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png
index e386b956fc..14079ffd7c 100644
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png and b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png
index dd547ed5f2..3c32b1af1a 100644
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png and b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
index a896a41f84..921273e4e7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index 4a37a95e9a..4f7924e1da 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -6,7 +6,7 @@ ms.prod: ie11
 ms.assetid: bddc2d97-c38d-45c5-9588-1f5bbff2e9c3
 title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
 ms.sitesec: library
-localizationpriority: low
+ms.localizationpriority: low
 ---
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
index c75819476b..a6ba3a7bb6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index 94b6be9b40..17ac01f346 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
index 63cbd88f37..6281115099 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to install the Internet Explorer 11 update using Microsoft Deployment Toolkit (MDT) and your Windows images.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index 8a65258e74..783308e29a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
index 7c9f00ad35..bd7c36ded8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to install the Internet Explorer 11 update using your network
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
index bc3474ac70..4f2f21d001 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to install the Internet Explorer 11 update using third-party tools and command-line options.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index a06e7ae728..c7ea390ba5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to install the Internet Explorer 11 update using Windows Server Update Services (WSUS)'
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
index 0469d85cb3..3cefac76d0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to fix potential installation problems with Internet Explorer 11
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
index c3ddb1943c..815918068a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to fix intranet search problems with Internet Explorer 11
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
index 8f73d5b3da..a50b6b626c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
index 3964c4c779..e9b77343c8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: IEM-configured settings have been deprecated for Internet Explorer 10 and newer. Use this topic to learn where to go to fix the affected settings through Group Policy Preferences, Administrative Templates (.admx), or the IEAK.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
index d25450aae1..48920354dc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
index 75d0ad1469..b346d9663e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: How to turn managed browser hosting controls back on in Internet Explorer 11.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index 54b1f1eb74..549d485a7d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: New group policy settings for Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 04b5f82c88..812ea91600 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Use out-of-date ActiveX control blocking to help you know when IE prevents a webpage from loading outdated ActiveX controls and to update the outdated control, so that it’s safer to use.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index 8a1618533a..9eb372320e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 72143e9cb1..006b713c0d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Instructions about how to clear all of the sites from your global Enterprise Mode site list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
index cf988c785a..281568ca5a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Instructions about how to remove sites from a local compatibility view list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
index 9712b3448d..58d4be5197 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Instructions about how to remove sites from a local Enterprise Mode site list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
index c13d249a8a..173cc8e6ae 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
index 6d4ae0d626..f2e75998a0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index a26554c11b..88a167124d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Search to see if a specific site already appears in your global Enterprise Mode site list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 66d13bed09..734c2d3528 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index 32d0ba628a..4090e6204f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Set up and turn on Enterprise Mode logging and data collection in your organization.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
index e23bce2182..589b6569fd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to set up the Enterprise Mode Site List Portal for your organization.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
index 455a3aa91f..4a466fb09f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 ms.pagetype: appcompat
 description: Reviewing log files to learn more about potential setup problems with Internet Explorer 11.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index 752fb6e58a..dde74d8390 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Lists the minimum system requirements and supported languages for Internet Explorer 11.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
index 7dec9d7851..48b4ca2166 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index cd25d1df05..3547f5a51e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: How to turn Enteprrise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
index 49f803662c..24332033a5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: Turn off natural metrics for Internet Explorer 11
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index ef3ed29d52..fbf438a035 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -1,13 +1,20 @@
 ---
-localizationpriority: low
+title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros)
+description: How to turn on Enterprise Mode and specify a site list.
+ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
+ms.prod: ie11
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
-description: How to turn on Enterprise Mode and specify a site list.
-author: eross-msft
-ms.prod: ie11
-ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
-title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros)
 ms.sitesec: library
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+ms.localizationpriority: low
+
+
+
+
+
 ---
 
 
@@ -23,8 +30,8 @@ ms.sitesec: library
 
 Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser.
 
-**Note**<br>
-We recommend that you store and download your website list from a secure web sever (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employee’s computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
+>[!NOTE]
+>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
 
  **To turn on Enterprise Mode using Group Policy**
 
@@ -45,7 +52,7 @@ Turning this setting on also requires you to create and store a site list. For m
 
     ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png)
 
-    -   **HTTP location**: `"SiteList"="http://localhost:8080/sites.xml"`
+    -   **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"`
 
     -   **Local network:** `"SiteList"="\\network\shares\sites.xml"`
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index 04edbdc3b7..32e4dc1a7b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Turn on local user control and logging for Enterprise Mode.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
index af1ea520b4..b3d5c7bda5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: High-level info about some of the new and updated features for Internet Explorer 11.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
index a478fd9557..55e577f222 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
index 06a50bf079..35f92c7b1c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index 86929579b2..2a1c9fc1fe 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: Info about where features went in the IEAK11, where the Favorites, Command, and Status bars went, and where the search bar went.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
index 2a51d2abad..3eec3b0b6b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index ba9ab11557..2fefd87543 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use IEAK 11 while planning, customizing, and building the custom installation package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index 7e15a06d41..e0f6bb66c8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use Setup Information (.inf) files to create installation packages.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
index ad7ff7fb3e..3d375dbc9e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
index 9b17b1c55d..c0eb8995ed 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
index 90be9b01af..6408a81893 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
index 39742890ba..19789bc48b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
index bcf1dc7226..bfd4682de3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: virtualization
 description: Virtualization and compatibility with Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index f803185980..57ef5c82da 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Info about the features included in Enterprise Mode with Internet Explorer 11.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index 443fee4ab1..570bd3b72b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 ms.pagetype: security
 description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
index 6c23ee0748..f0e1333a10 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
index 384f432713..86092448c2 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: explore
 description: Frequently asked questions about Internet Explorer 11 for IT Pros
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
index e44077d74d..dc8a3b1dd6 100644
--- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Accelerators page in the IEAK 11 Customization Wizard to add accelerators to employee devices.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
index 0a2f864dce..70d6fb8c90 100644
--- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use IEAK 11 to add and approve ActiveX controls for your organization.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
index 1ed9bf67b0..1d2860516a 100644
--- a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
index f8749f2d50..8556b6edd2 100644
--- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Additional Settings page in IEAK 11 Customization Wizard for additional settings that relate to your employee’s desktop, operating system, and security.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
index 2147e5ba34..b17332600a 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Automatic Configuration page in the IEAK 11 Customization Wizard to add URLs to auto-configure IE.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index 16ee9d90bb..6c653f08fc 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to set up automatic detection for DHCP or DNS servers using IEAK 11 in your organization.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
index a348c82fd6..c8ad903c3a 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Automatic Version Synchronization page in the IEAK 11 Customization Wizard to download the IE11 Setup file each time you run the Wizard.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
index 9c66fd3777..c25d42016e 100644
--- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: A list of steps to follow before you start to create your custom browser installation packages.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
index ecbaa2500e..279fa2b311 100644
--- a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[Branding\] .INS file setting to set up your custom branding and setup info in your browser install package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
index de3cd4ccb5..1862eda60d 100644
--- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Browser User Interface page in the IEAK 11 Customization Wizard to change the toolbar buttons and the title bar.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
index f11633eec9..e06625af10 100644
--- a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Use the \[BrowserToolbars\] .INS file setting to customize your Internet Explorer toolbar and buttons.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
index 3f600fbdde..d3d191860d 100644
--- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Browsing Options page in the IEAK 11 Customization Wizard to manage items in the Favorites, Favorites Bar, and Feeds section.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
index 1ea07d8c49..0ae82866c4 100644
--- a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[CabSigning\] .INS file setting to customize the digital signature info for your apps.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
index 26271c2666..12383d14d1 100644
--- a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: We’re sorry. We’ve removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11.
diff --git a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
index 0775380c68..2f256e9354 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: We’re sorry. We’ve removed all of the functionality included on the **Connection Manager** page of the Internet Explorer Customization Wizard 11.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
index ffc214c941..a2eaa01f8f 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Connection Settings page in IEAK 11 Customization Wizard to import and preset connection settings on your employee’s computers.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
index 76e9f16992..cad1e630c5 100644
--- a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Use the \[ConnectionSettings\] .INS file setting to specify the network connection settings needed to install your custom package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
index 7b502d02d9..142e588090 100644
--- a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: How to create your folder structure on the computer that you’ll use to build your custom browser package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
index db345fee37..0a455e71be 100644
--- a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Review this list of tasks and references before you create and deploy your Internet Explorer 11 custom install packages.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
index 947b9febe9..8657bcb1fb 100644
--- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Steps to create multiple versions of your custom browser if you support more than 1 version of Windows, more than 1 language, or have different features in each package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
index 1715dfaa58..90ad44025b 100644
--- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
+++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use Setup information (.inf) files to uninstall custom components from your custom browser packages.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
index 86c289b22d..baa1c3fc79 100644
--- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Custom Components page in the IEAK 11 Customization Wizard to add additional components for your employees to install with IE.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
index 78c4f245a3..5ea1931ea9 100644
--- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Use the \[CustomBranding\] .INS file setting to specify the location of your branding cabinet (.cab) file.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
index 7f915b87aa..68231a4a67 100644
--- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
+++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: manage
 description: Customize Automatic Search in Internet Explorer so that your employees can type a single word into the Address box to search for frequently used pages.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
index ae010258c3..6b5cfadd74 100644
--- a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[ExtRegInf\] .INS file setting to specify your Setup information (.inf) files and the installation mode for your custom components.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
index 44dcbe0155..41b6867002 100644
--- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Favorites, Favorites Bar, and Feeds page in IEAK 11 Customization Wizard to add links, web slices, and feeds to your custom browser package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
index 51042e42b8..a3a9197a05 100644
--- a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[FavoritesEx\] .INS file setting to specify your Favorites icon file, whether Favorites is available offline, and your Favorites URLs.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
index f7861e2e5c..a842d3aea4 100644
--- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Feature Selection page in the IEAK 11 Customization Wizard to choose which parts of the setup processes and Internet Explorer 11 to change for your company.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
index 548ad0016d..6192ecb053 100644
--- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the File Locations page in the IEAK 11 Customization Wizard to change the location of your install package and IE11 folders.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
index 5c4deb0b5d..b77750a229 100644
--- a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Review the file types that are created and used by tools in the Internet Explorer Administration Kit 11 (IEAK 11).
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
index 27fc79e06b..3ce8f21b44 100644
--- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the First Run Wizard and Welcome Page Options page in the IEAK 11 Customization Wizard to set what your employee’s see the first time they log on to IE, based on their operating system.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
index ec2a66bc57..2bd9a5b5e4 100644
--- a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Customization guidelines for your Internet Explorer toolbar button and Favorites List icons.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
index 8d43bef26a..e778a8a516 100644
--- a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: List of supported hardware and software requirements for Internet Explorer 11 and the Internet Explorer Administration Kit 11.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
index 753268c6b2..d9fabda403 100644
--- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[HideCustom\] .INS file setting to decide whether to hide the GUID for each custom component.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
index f1a75a85d0..4a41872c22 100644
--- a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
+++ b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Reference about the command-line options and return codes for Internet Explorer Setup.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
index db66d6f706..2dec226b06 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Review the options available to help you customize your browser install packages for deployment to your employee's devices.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
index 13fff054c3..2c1d2a51c8 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Reference about the command-line options for the IExpress Wizard.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
index a863e88fd8..e419776ec7 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the IExpress Wizard on Windows Server 2008 R2 with SP1 to create self-extracting files to run your custom Internet Explorer Setup program.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
index 74acabee72..9a7f220abd 100644
--- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Important URLs - Home Page and Support page in the IEAK 11 Customization Wizard to choose one or more **Home** pages and an online support page for your customized version of IE.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index 00b9d78815..2bfdfbfdd9 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -6,7 +6,7 @@ ms.prod: ie11
 ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
 title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros)
 ms.sitesec: library
-localizationpriority: low
+ms.localizationpriority: low
 ---
 
 
diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
index 22e16c2e81..774836dae6 100644
--- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Internal Install page in the IEAK 11 Customization Wizard to customize Setup for the default browser and the latest browser updates.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
index 01f34bb4f1..0523806f11 100644
--- a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[ISP_Security\] .INS file setting to add the root certificate for your custom Internet Explorer package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
index 625df35a75..09392580d3 100644
--- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Language Selection page in the IEAK 11 Customization Wizard to choose the lanaguage for your IEAK 11 custom package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index 87187bf8c3..8bb63453c9 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Learn about which version of the IEAK 11 you should run, based on your license agreement.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
index 0a11cced95..c1ff2be4c5 100644
--- a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[Media\] .INS file setting to specify the types of media on which your custom install package is available.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
index 83b0d79dd5..e853869555 100644
--- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Package Type Selection page in the IEAK 11 Customization Wizard to pick the media type you’ll use to distribute your custom package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index 0edf5578ef..ff41cfb4b4 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
index 5b0a24fd55..a950b3c6a3 100644
--- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Learn about what you need to do before you deploy your custom browser package using IEAK 11 over your network.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index 5cc0312c67..0bcdc1f6c3 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
index fbd10a4080..a921199911 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Learn about how to use a proxy auto-configuration (.pac) file to specify an automatic proxy URL.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
index eb04586dcd..bea9403375 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[Proxy\] .INS file setting to define whether to use a proxy server.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
index 3a1e0162be..d2052087ce 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Proxy Settings page in the IEAK 11 Customization Wizard to pick the proxy servers used to connect to required services.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
index 1a490542ed..45a27ee082 100644
--- a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Learn how to register an uninstall app for your custom components, using IEAK 11.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
index c8c82c121b..8cc3bcd310 100644
--- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: manage
 description: Learn how to use the Resultant Set of Policy (RSoP) snap-in to view your policy settings.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
index f8816f6d9a..a0e4286e8d 100644
--- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Search Providers page in the IEAK 11 Customization Wizard to add additional providers and set the default.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
index 61e6caf344..809652df55 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Learn about the security features available in Internet Explorer 11 and IEAK 11.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
index d88993dbe2..9f5cadf768 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Security and Privacy Settings page in the IEAK 11 Customization Wizard to manage your security zones, privacy settings, and content ratings.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
index 2c1379c97b..2267ccc2c3 100644
--- a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[Security Imports\] .INS file setting to decide whether to import security info to your custom package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
index b6c2290c54..4d655da341 100644
--- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
index d508dffd3a..33120276a5 100644
--- a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
index 2417baf652..0fd4a2c8bd 100644
--- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
index dc16dd86ec..6b88d3fa5e 100644
--- a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
+++ b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
index 2fad3b0d54..96fbaaaa45 100644
--- a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
 author: eross-msft
diff --git a/browsers/internet-explorer/index.md b/browsers/internet-explorer/index.md
index 79a0d7af08..65aa2dda43 100644
--- a/browsers/internet-explorer/index.md
+++ b/browsers/internet-explorer/index.md
@@ -6,7 +6,7 @@ ms.prod: IE11
 title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
 assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
 ms.sitesec: library
-localizationpriority: low
+ms.localizationpriority: low
 ---
 
 
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 757d5d4376..00808fc443 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Change history for Microsoft HoloLens documentation
diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md
index e9b51e6b8d..590709239d 100644
--- a/devices/hololens/hololens-enroll-mdm.md
+++ b/devices/hololens/hololens-enroll-mdm.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Enroll HoloLens in MDM
diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md
index fa7479c5ef..d4ab0de317 100644
--- a/devices/hololens/hololens-install-apps.md
+++ b/devices/hololens/hololens-install-apps.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Install apps on HoloLens
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 42ce78887a..b2986ac0a3 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Set up HoloLens in kiosk mode
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 53f90a2f31..93334b734a 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Configure HoloLens using a provisioning package test
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index d364082e8d..e4d0abec41 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Microsoft HoloLens in the enterprise: requirements and FAQ
diff --git a/devices/hololens/hololens-setup.md b/devices/hololens/hololens-setup.md
index d6ead976b2..485dc497ee 100644
--- a/devices/hololens/hololens-setup.md
+++ b/devices/hololens/hololens-setup.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Set up HoloLens
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index 82583e43cd..0b22298118 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Unlock Windows Holographic for Business features
@@ -116,7 +116,7 @@ Provisioning packages are files created by the Windows Imaging and Configuration
 
 ### Apply the provisioning package to HoloLens
 
-1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of OOBE (the first page with the blue box).
+1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of the initial setup experience (the first page with the blue box).
 
 2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously.
 
@@ -128,7 +128,7 @@ Provisioning packages are files created by the Windows Imaging and Configuration
 
 6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
 
-7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
+7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with device setup.
 
 >[!NOTE]
 >If the device was purchased before August 2016, you will need to sign into the device with aa Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. 
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index a340332cc7..a400654bbd 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Microsoft HoloLens
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 240bcc485e..74d61c7720 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -33,6 +33,7 @@
 ### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
 ### [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) 
 ### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md)
+### [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md)
 ### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
 ### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
 ### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md)
diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md
index 75d75ecc96..193a5d5235 100644
--- a/devices/surface-hub/accessibility-surface-hub.md
+++ b/devices/surface-hub/accessibility-surface-hub.md
@@ -9,8 +9,8 @@ ms.pagetype: surfacehub
 ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
-ms.date: 06/19/2017
-localizationpriority: medium
+ms.date: 08/17/2017
+ms.localizationpriority: medium
 ---
 
 # Accessibility (Surface Hub)
@@ -24,7 +24,6 @@ The full list of accessibility settings are available to IT admins in the **Sett
 
 | Accessibility feature | Default settings  |
 | --------------------- | ----------------- |
-| Narrator              | Off               |
 | Magnifier             | Off               |
 | High contrast         | No theme selected |
 | Closed captions       | Defaults selected for Font and Background and window |
@@ -32,6 +31,17 @@ The full list of accessibility settings are available to IT admins in the **Sett
 | Mouse                 | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
 | Other options         | Defaults selected for **Visual options** and **Touch feedback**. |
 
+The accessibility feature Narrator is not available in the **Settings** app. By default, Narrator is turned off. To change the default settings for Narrator, perform the following steps using a keyboard and mouse.
+
+1. Dismiss the Welcome screen.
+2. Open **Quick Actions** > **Ease of Access** from the status bar.
+
+    ![Screenshot of Ease of Access tile](images/ease-of-access.png)
+    
+3. Turn Narrator on.
+4. Click **Task Switcher**.
+5. Select **Narrator Settings** from Task Switcher. You can now edit the default Narrator settings.
+
 Additionally, these accessibility features and apps are returned to default settings when users press [End session](finishing-your-surface-hub-meeting.md):
 - Narrator
 - Magnifier
diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md
index 31c718d2cc..8fefe084ae 100644
--- a/devices/surface-hub/admin-group-management-for-surface-hub.md
+++ b/devices/surface-hub/admin-group-management-for-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, security
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Admin group management (Surface Hub)
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index cf0b708c03..308ce30051 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -1,6 +1,6 @@
 ---
 title: PowerShell for Surface Hub (Surface Hub)
-description: PowerShell scripts to help set up and manage your Microsoft Surface Hub .
+description: PowerShell scripts to help set up and manage your Microsoft Surface Hub.
 ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784
 keywords: PowerShell, set up Surface Hub, manage Surface Hub
 ms.prod: w10
@@ -9,8 +9,8 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
-ms.date: 06/19/2017
-localizationpriority: medium
+ms.date: 08/16/2017
+ms.localizationpriority: medium
 ---
 
 # PowerShell for Surface Hub
@@ -465,7 +465,7 @@ PrintAction "Configuring password not to expire..."
 Start-Sleep -s 20
 try 
 {
-    Set-AdUser $mailbox.Alias -PasswordNeverExpires $true -Enabled $true
+    Set-AdUser $mailbox.UserPrincipalName -PasswordNeverExpires $true -Enabled $true
 }
 catch
 {
@@ -1243,7 +1243,7 @@ if (!$fExIsOnline)
 }
 
 
-$strAlias = $mailbox.Alias
+$strAlias = $mailbox.UserPrincipalName
 $strDisplayName = $mailbox.DisplayName
 
 $strLinkedAccount = $strLinkedDomain = $strLinkedUser = $strLinkedServer = $null
@@ -1424,7 +1424,7 @@ if ($fHasOnPrem)
     else
     {
         #AD User enabled validation
-        $accountOnPrem = Get-AdUser $strAlias -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
+        $accountOnPrem = Get-AdUser $mailbox.UserPrincipalName -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
     }
     $strOnPremUpn = $accountOnPrem.UserPrincipalName
     Validate -Test "There is a user account for $strOnPremUpn" -Condition ($accountOnprem -ne $null) -FailureMsg "Could not find an Active Directory account for this user"
diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
index 216212e22c..150021a410 100644
--- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Applying ActiveSync policies to device accounts (Surface Hub)
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index f15a7db11b..6fc60ccb51 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -8,14 +8,35 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
-ms.date: 06/19/2017
-localizationpriority: medium
+ms.date: 08/17/2017
+ms.localizationpriority: medium
 ---
 
 # Change history for Surface Hub
 
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 
+## August 2017
+
+
+| New or changed topic | Description |
+| --- | --- |
+[Accessibility](accessibility-surface-hub.md) | Added information about Narrator
+[Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | New
+
+
+
+
+
+## July 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Windows updates](manage-windows-updates-for-surface-hub.md) | Changed deferral recommendations for Windows Updates |
+| [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Added Whiteboard URLs to prerequisites |
+| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md#skype-for-business-online) | Updated the Skype for Business Online requirements |
+| [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md)  | Added that Surface Hub supports 802.1X using PEAP-MSCHAPv2 |
+
 ## June 2017
 
 | New or changed topic | Description |
diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md
index 24401a121f..0dbb2f0c28 100644
--- a/devices/surface-hub/change-surface-hub-device-account.md
+++ b/devices/surface-hub/change-surface-hub-device-account.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Change the Microsoft Surface Hub device account
diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
index 3b707fc91d..b8b4074703 100644
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Connect other devices and display with Surface Hub
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index 2738f245e6..b6d74e9b2f 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Create a device account using UI (Surface Hub)
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index 5488c98164..d23e2a2012 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Create and test a device account (Surface Hub)
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index a82f56d4f1..2cd32d91db 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Device reset (Surface Hub)
diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
index 8ac7840f05..60b1ab2d53 100644
--- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: isaiahng
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Differences between Surface Hub and Windows 10 Enterprise
diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
index 0de8a05437..65f8ff0dfe 100644
--- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Microsoft Exchange properties (Surface Hub)
diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md
index 38967ea5fb..cfd7ebf145 100644
--- a/devices/surface-hub/finishing-your-surface-hub-meeting.md
+++ b/devices/surface-hub/finishing-your-surface-hub-meeting.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # End a Surface Hub meeting with End session
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index 6d783ca362..5bbd47ff2e 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # First-run program (Surface Hub)
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index fd1ab47a02..41b4b78342 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Hybrid deployment (Surface Hub)
@@ -114,17 +114,27 @@ Use this procedure if you use Exchange on-prem.
 
 Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-prem](#skype-for-business-on-prem), or [Skype for Business hybrid](#skype-for-business-hybrid).
 
+<span id="sfb-online"/>
 ### Skype for Business Online
 
-To enable Skype for Business online, your environment will need to meet the following prerequisites:
+To enable Skype for Business online, your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required). The following table explains which plans or additional services you need.
 
--   You need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
+| Skype room system scenario | If you have Office 365 Premium, Office 365 ProPlus, or Skype for Business Standalone Plan 2, you need: | If you have an Enterprise-based plan, you need: | If you have have Skype for Business Server 2015 (on-premises or hybrid), you need: |
+| --- | --- | --- | --- |
+| Join a scheduled meeting | Skype for Business Standalone Plan 1 | E1, 3, 4, or 5 | Skype for Business Server Standard CAL |
+| Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL |
+| Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with PSTN Conferencing</br></br>**Note** PSTN consumption billing is optional | E1 or E3 with PSTN Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL |
+| Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Cloud PBX and a PSTN Voice Calling plan | E1 or E3 with Cloud PBX and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL |
     
--   If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
-    
--   Your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required).
-    
--   Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
+The following table lists the Office 365 plans and Skype for Business options.
+
+| O365 Plan | Skype for Business | Cloud PBX | PSTN Conferencing | PSTN Calling |
+| --- | --- | --- | --- | --- |
+| O365 Business Essentials | Included |  |  |  |
+| O365 Business Premium | Included |  |  |  |
+| E1 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) |
+| E3 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) |
+| E5 | Included | Included | Included | Add-on  |
 
 1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment.
 
@@ -300,18 +310,10 @@ Use this procedure if you use Exchange online.
 
 Next, you enable the device account with [Skype for Business Online](#sfb-online), [Skype for Business on-prem](#sfb-onprem), or [Skype for Business hybrid](#sfb-hybrid).
 
-<span id="sfb-online"/>
+
 ### Skype for Business Online    
     
-In order to enable Skype for Business, your environment will need to meet the following prerequisites:
-
-- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
-    
-- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
-    
-- Your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required).
-    
-- Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
+In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](#sfb-online).
 
 1. Start by creating a remote PowerShell session to the Skype for Business online environment from a PC.
 
diff --git a/devices/surface-hub/images/approve-signin.png b/devices/surface-hub/images/approve-signin.png
new file mode 100644
index 0000000000..7736b95431
Binary files /dev/null and b/devices/surface-hub/images/approve-signin.png differ
diff --git a/devices/surface-hub/images/approve-signin2.png b/devices/surface-hub/images/approve-signin2.png
new file mode 100644
index 0000000000..2ccfc40ecc
Binary files /dev/null and b/devices/surface-hub/images/approve-signin2.png differ
diff --git a/devices/surface-hub/images/attendees.png b/devices/surface-hub/images/attendees.png
new file mode 100644
index 0000000000..fd468aa971
Binary files /dev/null and b/devices/surface-hub/images/attendees.png differ
diff --git a/devices/surface-hub/images/ease-of-access.png b/devices/surface-hub/images/ease-of-access.png
new file mode 100644
index 0000000000..2cb79254f8
Binary files /dev/null and b/devices/surface-hub/images/ease-of-access.png differ
diff --git a/devices/surface-hub/images/mfa-options.png b/devices/surface-hub/images/mfa-options.png
new file mode 100644
index 0000000000..5bd3defd01
Binary files /dev/null and b/devices/surface-hub/images/mfa-options.png differ
diff --git a/devices/surface-hub/images/sign-in.png b/devices/surface-hub/images/sign-in.png
new file mode 100644
index 0000000000..bd34f642a7
Binary files /dev/null and b/devices/surface-hub/images/sign-in.png differ
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index f8199feb73..ab8cbc200f 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Microsoft Surface Hub admin guide
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index 0fd4a2c619..cf999ceac8 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, store
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Install apps on your Microsoft Surface Hub
diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md
index 904c44e890..cb1c078d70 100644
--- a/devices/surface-hub/local-management-surface-hub-settings.md
+++ b/devices/surface-hub/local-management-surface-hub-settings.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Local management for Surface Hub settings
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 71bf9ab39f..0fa469597a 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, mobility
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Manage settings with an MDM provider (Surface Hub)
diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md
index 5226843d3a..e3a2315659 100644
--- a/devices/surface-hub/manage-surface-hub-settings.md
+++ b/devices/surface-hub/manage-surface-hub-settings.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Manage Surface Hub settings
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index 14df9d6b63..25cca9e168 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Manage Microsoft Surface Hub
@@ -34,6 +34,7 @@ Learn about managing and updating Surface Hub.
 | [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.|
 | [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md)  | Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board.   |
 | [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.|
+| [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | You can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS.   |
 | [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.|
 | [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.|
 | [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. |
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 102a9c8006..84340e8542 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Windows updates (Surface Hub)
@@ -70,9 +70,9 @@ This table gives examples of deployment rings.
 
 | Deployment ring | Ring size | Servicing branch | Deferral for feature updates | Deferral for quality updates (security fixes, drivers, and other updates) | Validation step |
 | --------- | --------- | --------- | --------- | --------- | --------- |
-| Evaluation (e.g. non-critical or test devices) | Small | Current Branch (CB) | None. Devices receive feature updates immediately after CB is released. | None. Devices receive quality updates immediately after CB is released. | Manually test and evaluate new functionality. Pause updates if there are issues. |
-| Pilot (e.g. devices used by select teams) | Medium | Current Branch for Business (CBB) | None. Devices receive feature updates immediately once CBB is released. | None. Devices receive quality updates immediately after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
-| Broad deployment (e.g. most of the devices in your organization) | Large | Current Branch for Business (CBB) |  60 days after CBB is released. | 14 days after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Preview (e.g. non-critical or test devices) | Small | Current Branch (CB) | None. Devices receive feature updates immediately after CB is released. | None. Devices receive quality updates immediately after CB is released. | Manually test and evaluate new functionality. Pause updates if there are issues. |
+| Release (e.g. devices used by select teams) | Medium | Current Branch for Business (CBB) | None. Devices receive feature updates immediately once CBB is released. | None. Devices receive quality updates immediately after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Broad deployment (e.g. most of the devices in your organization) | Large | Current Branch for Business (CBB) |  120 days after CBB is released. | 7-14 days after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
 | Mission critical (e.g. devices in executive boardrooms) | Small | Current Branch for Business (CBB) |  180 days after CBB is released (maximum deferral for feature updates). | 30 days after CBB is released (maximum deferral for quality updates). | Monitor device usage and user feedback. |
 
 
diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md
index 69095fd26e..b171da8675 100644
--- a/devices/surface-hub/miracast-over-infrastructure.md
+++ b/devices/surface-hub/miracast-over-infrastructure.md
@@ -1,6 +1,6 @@
 ---
 title: Miracast on existing wireless network or LAN
-description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
+description: Windows 10 enables you to send a Miracast stream over a local network.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -8,7 +8,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Miracast on existing wireless network or LAN
@@ -32,13 +32,15 @@ Users attempt to connect to a Miracast receiver as they did previously. When the
 
 ## Enabling Miracast over Infrastructure 
 
-If you have a Surface Hub that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+If you have a Surface Hub or other Windows 10 device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
 
-- The Surface Hub needs to be running Windows 10, version 1703.
-- The Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
-- The DNS Hostname (device name) of the Surface Hub needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. 
+- The Surface Hub or device (Windows PC or phone) needs to be running Windows 10, version 1703.
+- A Surface Hub or Windows PC can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
+    - As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+    - As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+- The DNS Hostname (device name) of the Surface Hub or deviceneeds to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. 
 - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.  
-- PCs need to be running Windows 10, version 1703.
+
 
 It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
 
diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md
index 942887f020..6b4edc0f44 100644
--- a/devices/surface-hub/miracast-troubleshooting.md
+++ b/devices/surface-hub/miracast-troubleshooting.md
@@ -8,7 +8,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Troubleshoot Miracast on Surface Hub
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index 2fac6d72e5..d90926b6e8 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Monitor your Microsoft Surface Hub
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 538c8ab8e7..12476b218a 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # On-premises deployment for Surface Hub in a single-forest environment
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
index 71b1557cdc..049a77fe9d 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # On-premises deployment for Surface Hub in a multi-forest environment
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 971d34f236..91423ffc82 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Online deployment with Office 365 (Surface Hub)
@@ -83,11 +83,8 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
     ```
 
-7.  Surface Hub requires a license for Skype for Business functionality.
-    - Your Surface Hub account requires a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
-    - You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
-    - If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).    
-
+7.  Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online).
+   
     Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
 
     Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
index a21cbe75c4..bd6ee1ab26 100644
--- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, security
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Password management (Surface Hub)
diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md
index 881d35d5e5..25d9589595 100644
--- a/devices/surface-hub/physically-install-your-surface-hub-device.md
+++ b/devices/surface-hub/physically-install-your-surface-hub-device.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, readiness
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Physically install Microsoft Surface Hub
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index 938be33bfe..7346763936 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -9,8 +9,8 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
-ms.date: 06/19/2017
-localizationpriority: medium
+ms.date: 07/27/2017
+ms.localizationpriority: medium
 ---
 
 # Prepare your environment for Microsoft Surface Hub
@@ -22,14 +22,14 @@ This section contains an overview of setup dependencies and the setup process. R
 ## Review infrastructure dependencies
 Review these dependencies to make sure Surface Hub features will work in your IT infrastructure.
 
-| Dependency                                            | Purpose                                               |
-|-------------------------------------------------------|-------------------------------------------------------|
+| Dependency        | Purpose           |
+|-------------|------------------|
 | Active Directory or Azure Active Directory (Azure AD) | <p>The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.</p>You can also domain join or Azure AD join your Surface Hub to allow a group of authorized users to configure settings on the Surface Hub. |
 | Exchange (Exchange 2013 or later, or Exchange Online) and Exchange ActiveSync | <p>Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.</p>ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. |
 | Skype for Business (Lync Server 2013 or later, or Skype for Business Online)  | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.</br></br>If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. |
 | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
 | Microsoft Operations Managmement Suite (OMS)   | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
-| Network and Internet access   | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1x Authentication is supported for both wired and wireless connections.</br></br>**802.1x authentication:** In Windows 10, version 1703, 802.1x authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1x authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1x authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1x authentication will start working automatically.</br></br>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</br></br>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. |
+| Network and Internet access   | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.</br></br></br>**802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.</br>**Note:** Surface Hub supports 802.1X using PEAP-MSCHAPv2. We currently do not support additional EAP methods such as 802.1X using PEAP-TLS or PEAP-EAP-TLS.</br></br>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</br></br>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. |
 
 Additionally, note that Surface Hub requires the following open ports:
 - HTTPS: 443
@@ -68,9 +68,8 @@ Surface Hub interacts with a few different products and services. Depending on t
 
 A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
 
-After you've created your device account, there are a couple of ways to verify that it's setup correctly.
-- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. 
-- Use the account with the [Lync Microsoft Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub.
+After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. 
+
  
 
 ## Prepare for first-run program 
diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md
index f5c44be7e4..4c8f42d3cf 100644
--- a/devices/surface-hub/provisioning-packages-for-surface-hub.md
+++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Create provisioning packages (Surface Hub)
diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md
index 2239f33b52..7511c69e12 100644
--- a/devices/surface-hub/remote-surface-hub-management.md
+++ b/devices/surface-hub/remote-surface-hub-management.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Remote Surface Hub management
diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md
index 98bcf798cc..7b7a9953bf 100644
--- a/devices/surface-hub/save-bitlocker-key-surface-hub.md
+++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, security
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Save your BitLocker key (Surface Hub)
diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md
index 350ad29527..435554c0f4 100644
--- a/devices/surface-hub/set-up-your-surface-hub.md
+++ b/devices/surface-hub/set-up-your-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Set up Microsoft Surface Hub
diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md
index e689a49798..804434fe6a 100644
--- a/devices/surface-hub/setup-worksheet-surface-hub.md
+++ b/devices/surface-hub/setup-worksheet-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Setup worksheet (Surface Hub)
diff --git a/devices/surface-hub/skype-hybrid-voice.md b/devices/surface-hub/skype-hybrid-voice.md
index aab82e172f..569446d7bd 100644
--- a/devices/surface-hub/skype-hybrid-voice.md
+++ b/devices/surface-hub/skype-hybrid-voice.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Online or hybrid deployment using Skype Hybrid Voice environment  (Surface Hub)
diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md
new file mode 100644
index 0000000000..d859d73c38
--- /dev/null
+++ b/devices/surface-hub/surface-hub-authenticator-app.md
@@ -0,0 +1,89 @@
+---
+title: Sign in to Surface Hub with Microsoft Authenticator
+description: Use Microsoft Authenticator on your mobile device to sign in to Surface Hub.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerms
+ms.author: jdecker
+ms.date: 07/27/2017
+localizationpriority: medium
+---
+
+# Sign in to Surface Hub with Microsoft Authenticator
+
+People in your organization can sign in to a Surface Hub  without a password using the Microsoft Authenticator app, available on Android and iOS.
+
+
+## Organization prerequisites
+
+To let people in your organization sign in to Surface Hub with their phones and other devices instead of a password, you’ll need to make sure that your organization meets these prerequisites: 
+
+- Your organization must be a hybrid or cloud-only organization, backed by Azure Active Directory (Azure AD). For more information, see [What is Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-whatis)
+
+- Make sure you have at minimum an Office 365 E3 subscription. 
+
+- [Configure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication). Make sure **Notification through mobile app** is selected. 
+
+    ![multi-factor authentication options](images/mfa-options.png)
+
+- Enable content hosting on Azure AD services such as Office online, SharePoint, etc. 
+
+- Surface Hub must be running Windows 10, version 1703 or later.
+
+- Surface Hub is set up with either a local or domain-joined account.
+
+Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs that are joined to an Active Directory domain or to Azure AD. 
+
+## Individual prerequisites
+
+- An Android phone running 6.0 or later, or an iPhone or iPad running iOS9 or later 
+
+- The most recent version of the Microsoft Authenticator app from the appropriate app store 
+    >[!NOTE]
+    >On iOS, the app version must be 5.4.0 or higher.
+    >
+    >The Microsoft Authenticator app on phones running a Windows operating system can't be used to sign in to Surface Hub.
+    
+- Passcode or screen lock on your device is enabled
+
+- A standard SMTP email address (example: joe@contoso.com). Non-standard or vanity SMTP email addresses (example: firstname.lastname@contoso.com) currently don’t work.
+
+
+## How to set up the Microsoft Authenticator app
+
+>[!NOTE]
+>If Company Portal is installed on your Android device, uninstall it before you set up Microsoft Authenticator. After you set up the app, you can reinstall Company Portal.
+>
+>If you have already set up Microsoft Authenticator on your phone and registered your device, go to the [sign-in instructions](#signin).
+
+1. Add your work or school account to Microsoft Authenticator for Multi-Factor Authentication. You will need a QR code provided by your IT department. For help, see [Get started with the Microsoft Authenticator app](https://docs.microsoft.com/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to).
+2. Go to **Settings** and register your device.
+1. Return to the accounts page and choose **Enable phone sign-in** from the account dropdown menu.
+
+
+<span id="signin" />
+## How to sign in to Surface Hub during a meeting
+
+1. After you’ve set up a meeting, go to the Surface Hub and select **Sign in to see your meetings and files**.
+
+    >[!NOTE]
+    >If you’re not sure how to schedule a meeting on a Surface Hub, see [Schedule a meeting on Surface Hub](https://support.microsoft.com/help/17325/surfacehub-schedulemeeting).
+
+    ![screenshot of Sign in option on Surface Hub](images/sign-in.png)
+
+2. You’ll see a list of the people invited to the meeting. Select yourself (or the person who wants to sign in – make sure this person has gone through the steps to set up their device before your meeting), and then select **Continue**.
+
+    ![screenshot of list of attendees in a meeting](images/attendees.png)
+    
+    You'll see a code on the Surface Hub.
+    
+    ![screenshot of code for Approve Sign in](images/approve-signin.png)
+    
+3. To approve the sign-in, open the Authenticator app, enter the four-digit code that’s displayed on the Surface Hub, and select **Approve**. You will then be asked to enter the PIN or use your fingerprint to complete the sign in. 
+
+    ![screenshot of the Approve sign-in screen in Microsoft Authenticator](images/approve-signin2.png)
+    
+You can now access all files through the OneDrive app.
+
diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index b66f0125d8..10a0151d96 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -8,7 +8,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Useful downloads for Microsoft Surface Hub
@@ -23,7 +23,7 @@ This topic provides links to useful Surface Hub documents, such as product datas
 | [Surface Hub User Guide (PDF)](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. |
 | [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hub’s internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC.  |
 | [Surface Hub SSD Replacement Guide (PDF)](https://www.microsoft.com/surface/en-us/support/surfacehubssd) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |
-| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](http://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface%20Hub%20RASK.zip) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
+| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](http://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface_Hub_Adoption_Kit_Final_0519.pdf) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
 | [Unpacking Guide for 84-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-84) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) |
 | [Unpacking Guide for 55-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-55) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) |
 | [Wall Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-wall-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the wall brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/bf/4d/bf4d6f06-370c-45ee-88e6-c409873914e8.mov?n=04.07.16_installation_video_05_wall_mount.mov) |
diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md
index 8746e4fbf0..c351a69bb3 100644
--- a/devices/surface-hub/surface-hub-wifi-direct.md
+++ b/devices/surface-hub/surface-hub-wifi-direct.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # How Surface Hub addresses Wi-Fi Direct security issues
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
index e2b323adce..b7fb78beec 100644
--- a/devices/surface-hub/surfacehub-whats-new-1703.md
+++ b/devices/surface-hub/surfacehub-whats-new-1703.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # What's new in Windows 10, version 1703 for Microsoft Surface Hub?
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index 88634df13a..46b82e72e3 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Troubleshoot Microsoft Surface Hub
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index 8b90760907..056a710493 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -5,7 +5,7 @@ keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.prod: w10
 ms.mktglfcycl: support
 ms.sitesec: library
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index 8a77082f26..5746904f3f 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Using a room control system (Surface Hub)
diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md
index 9f8deab97e..87f6088e2c 100644
--- a/devices/surface-hub/whiteboard-collaboration.md
+++ b/devices/surface-hub/whiteboard-collaboration.md
@@ -7,8 +7,8 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
-ms.date: 06/19/2017
-localizationpriority: medium
+ms.date: 07/13/2017
+ms.localizationpriority: medium
 ---
 
 # Set up and use Whiteboard to Whiteboard collaboration (Surface Hub)
@@ -28,6 +28,7 @@ To get Whiteboard to Whiteboard collaboration up and running, you’ll need to m
 - Currently not utilizing Office 365 Germany or Office 365 	operated by 21Vianet
 - Surface Hub needs to be updated to Windows 10, version 1607 or newer
 - Port 443 needs to be open since Whiteboard makes standard https requests
+- Whiteboard.ms, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies
 
  
 >[!NOTE]
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index d7b8a3edbe..434cef3e19 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, networking
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Wireless network management (Surface Hub)
diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
index 359032994a..1116a30c12 100644
--- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
+++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
@@ -3,7 +3,7 @@ title: Advanced UEFI security features for Surface Pro 3 (Surface)
 description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
 ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93
 keywords: security, features, configure, hardware, device, custom, script, update
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices, security
diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md
index e986d59af3..1f50da1b95 100644
--- a/devices/surface/customize-the-oobe-for-surface-deployments.md
+++ b/devices/surface/customize-the-oobe-for-surface-deployments.md
@@ -3,7 +3,7 @@ title: Customize the OOBE for Surface deployments (Surface)
 description: This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization.
 ms.assetid: F6910315-9FA9-4297-8FA8-2C284A4B1D87
 keywords: deploy, customize, automate, network, Pen, pair, boot
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index 05a27098bb..96fa078066 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -3,7 +3,7 @@ title: Download the latest firmware and drivers for Surface devices (Surface)
 description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
 ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
 keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
index 5013bcb538..09f3d1463d 100644
--- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
+++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
@@ -3,7 +3,7 @@ title: Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices (Surface)
 description: Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.
 ms.assetid: A281EFA3-1552-467D-8A21-EB151E58856D
 keywords: network, wireless, device, deploy, authentication, protocol
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index 3a5739d950..4ebec35606 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -3,7 +3,7 @@ title: Ethernet adapters and Surface deployment (Surface)
 description: This article provides guidance and answers to help you perform a network deployment to Surface devices.
 ms.assetid: 5273C59E-6039-4E50-96B3-426BB38A64C0
 keywords: ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
diff --git a/devices/surface/index.md b/devices/surface/index.md
index 3ef2840357..65fba37343 100644
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@@ -2,7 +2,7 @@
 title: Surface (Surface)
 description: 
 ms.assetid: 2a6aec85-b8e2-4784-8dc1-194ed5126a04
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md
index a07e2d8789..02c59dfdbb 100644
--- a/devices/surface/manage-surface-dock-firmware-updates.md
+++ b/devices/surface/manage-surface-dock-firmware-updates.md
@@ -2,7 +2,7 @@
 title: Manage Surface Dock firmware updates (Surface)
 description: Read about the different methods you can use to manage the process of Surface Dock firmware updates.
 ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F
-localizationpriority: high
+ms.localizationpriority: high
 keywords: firmware, update, install, drivers
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/devices/surface/manage-surface-pro-3-firmware-updates.md b/devices/surface/manage-surface-pro-3-firmware-updates.md
index eb0fea2fee..2a21c48dde 100644
--- a/devices/surface/manage-surface-pro-3-firmware-updates.md
+++ b/devices/surface/manage-surface-pro-3-firmware-updates.md
@@ -3,7 +3,7 @@ title: Manage Surface driver and firmware updates (Surface)
 description: This article describes the available options to manage firmware and driver updates for Surface devices.
 ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73
 keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md
index 388cb338d9..1e675594b7 100644
--- a/devices/surface/manage-surface-uefi-settings.md
+++ b/devices/surface/manage-surface-uefi-settings.md
@@ -2,7 +2,7 @@
 title: Manage Surface UEFI settings (Surface)
 description: Use Surface UEFI settings to enable or disable devices or components, configure security settings, and adjust Surface device boot settings. 
 keywords: firmware, security, features, configure, hardware
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index ef8103d135..b7993ada90 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -2,7 +2,7 @@
 title: Microsoft Surface Data Eraser (Surface)
 description: Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.
 ms.assetid: 8DD3F9FE-5458-4467-BE26-E9200341CF10
-localizationpriority: high
+ms.localizationpriority: high
 keywords: tool, USB, data, erase
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index 207c434259..564aadec7a 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -3,7 +3,7 @@ title: Microsoft Surface Deployment Accelerator (Surface)
 description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
 ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4
 ms.date: 06/29/2017
-localizationpriority: high
+ms.localizationpriority: high
 keywords: deploy, install, tool
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 492a5e773c..b9c7a108ed 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -2,7 +2,7 @@
 title: Step by step Surface Deployment Accelerator (Surface)
 description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices.
 ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032
-localizationpriority: high
+ms.localizationpriority: high
 keywords: deploy, configure
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/devices/surface/surface-diagnostic-toolkit.md b/devices/surface/surface-diagnostic-toolkit.md
index 8baced791b..2cb59e2ab9 100644
--- a/devices/surface/surface-diagnostic-toolkit.md
+++ b/devices/surface/surface-diagnostic-toolkit.md
@@ -3,7 +3,7 @@ title: Microsoft Surface Diagnostic Toolkit (Surface)
 description: Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.
 ms.assetid: FC4C3E76-3613-4A84-A384-85FE8809BEF1
 keywords: hardware, device, tool, test, component
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index e555b82072..42ea115bd7 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -3,7 +3,7 @@ title: Microsoft Surface Dock Updater (Surface)
 description: This article provides a detailed walkthrough of Microsoft Surface Dock Updater.
 ms.assetid: 1FEFF277-F7D1-4CB4-8898-FDFE8CBE1D5C
 keywords: install, update, firmware
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
diff --git a/education/get-started/TOC.md b/education/get-started/TOC.md
index b4b33d20fc..20de4cd93d 100644
--- a/education/get-started/TOC.md
+++ b/education/get-started/TOC.md
@@ -1,3 +1,10 @@
 # [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
-# [Change history for Microsoft Education get started](change-history-ms-edu-get-started.md)
+## [Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
+## [Use School Data Sync to import student data](use-school-data-sync.md)
+## [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+## [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+## [Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
+### [Set up Windows 10 devices using Windows OOBE](set-up-windows-education-devices.md)
+## [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md)
+# [Change history for Microsoft Education Get Started](change-history-ms-edu-get-started.md)
 
diff --git a/education/get-started/change-history-ms-edu-get-started.md b/education/get-started/change-history-ms-edu-get-started.md
index 484ed4a299..2e9b13b1a7 100644
--- a/education/get-started/change-history-ms-edu-get-started.md
+++ b/education/get-started/change-history-ms-edu-get-started.md
@@ -1,5 +1,5 @@
 ---
-title: Change history for Microsoft Education Get started
+title: Change history for Microsoft Education Get Started
 description: New and changed topics in the Microsoft Education get started guide.
 keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history
 ms.prod: w10
@@ -8,13 +8,27 @@ ms.sitesec: library
 ms.pagetype: edu
 author: CelesteDG
 ms.author: celested
-ms.date: 06/26/2017
+ms.date: 07/03/2017
 ---
 
-# Change history for Microsoft Education Get started
+# Change history for Microsoft Education Get Started
 
 This topic lists the changes in the Microsoft Education IT admin get started.
 
+## July 2017
+
+| New or changed topic | Description |
+| --- | ---- |
+| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Broke up the get started guide to highlight each phase in the Microsoft Education deployment and management process. |
+| [Set up an Office 365 Education tenant](set-up-office365-edu-tenant.md) | New. Shows the video and step-by-step guide on how to set up an Office 365 for Education tenant. |
+| [Use School Data Sync to import student data](use-school-data-sync.md) | New. Shows the video and step-by-step guide on School Data Sync and sample CSV files to import student data in a trial environment. |
+| [Enable Microsoft Teams for your school](enable-microsoft-teams.md) | New. Shows how IT admins can enable and deploy Microsoft Teams in schools. |
+| [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md) | New. Shows the video and step-by-step guide on how to accept the services agreement and ensure your Microsoft Store account is associated with Intune for Education. |
+| [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md) | New. Shows the video and step-by-step guide on how to set up Intune for Education, buy apps from the Microsoft Store for Education, and install the apps for all users in your tenant. |
+| [Set up Windows 10 education devices](set-up-windows-10-education-devices.md) | New. Shows options available to you when you need to set up new Windows 10 devices and enroll them to your education tenant. Each option contains a video and step-by-step guide. |
+| [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) | New. Shows the video and step-by-step guide on how to finish preparing your Windows 10 devices for use in the classroom. |
+
+
 ## June 2017
 
 | New or changed topic | Description |
diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md
new file mode 100644
index 0000000000..0de78d8a9c
--- /dev/null
+++ b/education/get-started/configure-microsoft-store-for-education.md
@@ -0,0 +1,70 @@
+---
+title: Configure Microsoft Store for Education
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Configure Microsoft Store for Education
+
+> [!div class="step-by-step"]
+[<< Use School Data Sync to import student data](use-school-data-sync.md)
+[Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)
+
+You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
+
+You can watch the video to see how this is done, or follow the step-by-step guide. </br>
+
+<center><iframe src="https://www.youtube.com/embed/Jnbssq0gC_g" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/Jnbssq0gC_g?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+
+You can watch the descriptive audio version here: [Microsoft Education: Configure Microsoft Store for Education (DA)](https://www.youtube.com/watch?v=bStgEpHbEXw)
+
+## Associate your Microsoft Store account with Intune for Education
+
+1. Sign in to <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
+2. Accept the Microsoft Store for Business and Education Services Agreement. 
+
+  This will take you to the Microsoft Store for Education portal.
+
+  **Figure 1** - Microsoft Store for Education portal
+
+  ![Microsoft Store for Education portal](images/msfe_store_portal.png)
+
+3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
+4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
+
+  **Figure 2** - Select management tools from the list of Store settings options
+
+  ![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
+
+4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
+
+  **Figure 3** - Activate Intune for Education as the management tool
+
+  ![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png) 
+
+Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
+
+<!--
+> [!div class="nextstepaction"]
+> [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+-->
+
+> [!div class="step-by-step"]
+[<< Use School Data Sync to import student data](use-school-data-sync.md)
+[Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)
+
+
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md
new file mode 100644
index 0000000000..39574448d6
--- /dev/null
+++ b/education/get-started/enable-microsoft-teams.md
@@ -0,0 +1,60 @@
+---
+title: Enable Microsoft Teams for your school
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Enable Microsoft Teams for your school
+
+Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education. 
+
+To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school. 
+
+## Enable Microsoft Teams for your school
+
+1. Sign in to <a href="https://portal.office.com" target="_blank">Office 365</a> with your work or school account.
+2. Click **Admin** to go to the Office 365 admin center.
+3. Go to **Settings > Services & add-ins**.
+4. On the **Services & add-ins** page, select **Microsoft Teams**.
+
+  **Figure 1** - Select Microsoft Teams from the list of services & add-ins
+
+  ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
+
+5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. Select **Faculty and Staff**.
+
+  **Figure 2** - Select the license that you want to configure
+
+  ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
+
+6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
+
+  **Figure 3** - Turn on Microsoft Teams for your organization
+
+  ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
+
+7. Click **Save**.
+
+You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
+
+<!--
+> [!div class="nextstepaction"]
+> [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+-->
+
+> [!div class="step-by-step"]
+[<< Use School Data Sync to import student data](use-school-data-sync.md)
+[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
+
+
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md
new file mode 100644
index 0000000000..f7f99ded79
--- /dev/null
+++ b/education/get-started/finish-setup-and-other-tasks.md
@@ -0,0 +1,219 @@
+---
+title: Finish Windows 10 device setup and other tasks
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Finish Windows 10 device setup and other tasks
+
+> [!div class="step-by-step"]
+[<< Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
+
+Once you've set up your Windows 10 education device, it's worth checking to verify the following:
+
+> [!div class="checklist"]
+> * Correct device setup
+> * Device is Azure AD joined
+
+You can watch the video to see how this is done, or follow the step-by-step guide. </br>
+
+<center><iframe src="https://www.youtube.com/embed/nhQ_4okWFmk" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/nhQ_4okWFmk?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+You can watch the descriptive audio version here: [Microsoft Education: Verify Windows 10 education devices are Azure AD joined and managed (DA)](https://www.youtube.com/watch?v=_hVIxaEsu2Y)
+
+## Verify correct device setup
+Verify that the device is set up correctly and boots without any issues.
+
+**Verify that the device was set up correctly**
+1. Confirm that the Start menu contains a simple configuration.
+2. Confirm that the Store and built-in apps are installed and working. The apps pushed down from Intune for Education will appear under **Recently added**. 
+
+  > [!NOTE]  
+  > It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
+
+  **Figure 1** - Sample list of apps for a user
+
+  ![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
+
+## Verify the device is Azure AD joined
+Let's now verify that the device is joined to your organization's Azure AD and shows up as being managed in Microsoft Intune for Education.
+
+**Verify if the device is joined to Azure AD**
+1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
+2. Select **Groups** and select **All Devices**.
+3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
+
+  **Figure 2** - List of all managed devices
+
+  ![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
+
+4. On the Windows 10 education device, click **Start** and go to **Settings**. 
+5. Select **Accounts > Access work or school**.
+6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
+
+  **Figure 3** - Confirm that the Windows 10 device is joined to Azure AD
+
+  ![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
+
+**That's it! You're done!** You've completed basic cloud setup, deployment, and management using Microsoft Education. 
+
+You can follow the rest of the walkthrough to finish setup and complete other tasks, such as:
+
+> [!div class="checklist"]
+> * Update group settings in Intune for Education
+> * Configure Azure settings
+> * Complete Office 365 for Education setup
+> * Enable Microsoft teams for your school
+> * Add more users
+> * Connect other devices, like BYOD devices, to your cloud infrastructure
+
+You can watch the following video to see how to update group settings in Intune for Education and configure Azure settings. Or, you can follow the step-by-step guide for these tasks and the other tasks listed above.
+
+<center><iframe src="https://www.youtube.com/embed/M6-k73dZOfw" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/M6-k73dZOfw?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+You can watch the descriptive audio version here: [Microsoft Education: Update settings, apps, and Azure AD settings for your education tenant (DA)](https://www.youtube.com/watch?v=-Rz3VcDXbzs)
+
+## Update group settings in Intune for Education
+If you need to make changes or updates to any of the apps or settings for the group(s), follow these steps.
+
+1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
+2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
+3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
+
+  **Figure 4** - See the list of available settings in Intune for Education
+
+  ![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
+
+4. Keep the default settings or configure the settings according to your school's policies. 
+
+  For example, you can configure the diagnostic data sent to Microsoft in **Basic device settings > Send diagnostic data**. 
+
+5. Click **Save** or **Discard changes**.
+
+## Configure Azure settings
+After completing the basic setup for your cloud infrastructure and confirming that it is up and running, it's time to prepare for additional devices to be added and enable capabilities for the user to use.
+
+### Enable many devices to be added by a single person 
+When a device is owned by the school, you may need to have a single persion adding many devices to your cloud infrastructure. 
+
+Follow the steps in this section to enable a single person to add many devices to your cloud infrastructure.
+
+1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
+2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
+3. Select **Azure Active Directory > Users and groups > Device settings**.
+
+  **Figure 5** - Device settings in the new Azure portal
+
+  ![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
+
+4. Find the setting **Maximum number of devices per user** and change the value to **Unlimited**.
+5. Click **Save** to update device settings.
+
+### Enable roaming settings for users
+When students move from using one device to another, they may need to have their settings roam with them and be made available on other devices. 
+
+Follow the steps in this section to ensure that settings for the each user follow them when they move from one device to another.
+
+1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
+3. Go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
+3. Select **Azure Active Directory > Users and groups > Device settings**.
+4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
+
+  **Figure 6** - Enable settings to roam with users
+
+  ![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
+
+5. Click **Save** to update device settings.
+
+## Complete Office 365 for Education setup
+Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/en-US/Article/set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
+
+## Enable Microsoft Teams for your school
+Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education. 
+
+To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school. 
+
+**To enable Microsoft Teams for your school**
+
+1. Sign in to <a href="https://portal.office.com" target="_blank">Office 365</a> with your work or school account.
+2. Click **Admin** to go to the Office 365 admin center.
+3. Go to **Settings > Services & add-ins**.
+4. On the **Services & add-ins** page, select **Microsoft Teams**.
+
+  **Figure 1** - Select Microsoft Teams from the list of services & add-ins
+
+  ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
+
+5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. Select **Faculty and Staff**.
+
+  **Figure 2** - Select the license that you want to configure
+
+  ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
+
+6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
+
+  **Figure 3** - Turn on Microsoft Teams for your organization
+
+  ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
+
+7. Click **Save**.
+
+You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
+
+## Add more users
+After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
+
+See <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" target="_blank">Add users to Office 365</a> to learn more. Once you're done adding new users, go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a> and verify that the same users were added to the Intune for Education groups as well.
+
+## Connect other devices to your cloud infrastructure
+Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [Set up Windows 10 education devices](set-up-windows-10-education-devices.md). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
+
+  > [!NOTE]  
+  > These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device.
+
+**To connect a personal device to your work or school**
+
+1. On your Windows device, go to **Settings > Accounts**.
+2. Select **Access work or school** and then click **Connect** in the **Connect to work or school** page.
+3. In the **Set up a work or school account** window, enter the user's account info.
+
+  For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
+
+  **Figure 7** - Device is now managed by Intune for Education
+
+  ![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
+
+4. Enter the account password and then click **Sign in** to authenticate the user.
+
+   Depending on the organization's policy, the user may be asked to update the password.
+
+5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
+
+  **Figure 8** - Device is connected to organization's MDM
+
+  ![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
+
+6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [Verify the device is Azure AD joined](#verify-the-device-is-azure-ad-joined). 
+
+  It may take several minutes before the new device shows up so check again later.
+
+
+> [!div class="step-by-step"]
+[<< Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
+
+  
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
diff --git a/education/get-started/get-started-with-microsoft-education-fullpage.md b/education/get-started/get-started-with-microsoft-education-fullpage.md
new file mode 100644
index 0000000000..1b41b3b603
--- /dev/null
+++ b/education/get-started/get-started-with-microsoft-education-fullpage.md
@@ -0,0 +1,765 @@
+---
+title: Deploy and manage a full cloud IT solution with Microsoft Education
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: hero-article
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 06/26/2017
+---
+
+# Get started: Deploy and manage a full cloud IT solution with Microsoft Education
+
+![Learn how to deploy and manage a cloud solution with MSES!](images/mses_getstarted_banner.png)
+
+**Applies to:**
+
+-   Office 365 for Education, School Data Sync, Microsoft Intune for Education, Microsoft Store for Education, Windows 10 Creators Update, Set up School PCs
+
+Hello, IT administrators! In this walkthrough, we'll show you how you can quickly and easily use the new Microsoft Education system, consisting of new and existing cloud services and tools, to implement a full IT cloud solution for your school.
+
+## What is Microsoft Education?
+**Microsoft Education** consists of these new and existing services and tools from Microsoft:
+- **Microsoft Intune for Education** for simple set up, control, and management of the resources for your school including apps, devices, and settings
+- **Office 365 for Education** provides online apps for work from anywhere and desktop apps for advanced functionality, built for working together and available across devices, and it's free for schools, teachers, and students
+  - **School Data Sync** to help automate the process for importing and integrating School Information System (SIS) data that you can use with Office 365
+  - **OneNote Class Notebook** to organize course content, create and deliver interactive lessons to some or all students, collaborate and provide private feedback to individual students, and connect with major LMS and SIS partners for assignment workflow
+- **Microsoft Teams** to bring conversations, content, and apps together in one place and create collaborate classrooms, connect in professional learning communities, and communicate with school staff 
+- **Learning Tools** are moving beyond the OneNote desktop app and is now available in Office Lens, OneNote Online, Word Online, and Word desktop
+- **Whiteboard** to create interactive lessons on the big screen, share and collaborate real-time by connecting to Class Notebook and Classroom
+- **Windows 10, version 1703 (Creators Update)** which brings 3D for everyone and other new and updated Windows features
+- **Minecraft: Education Edition** which provides an open and immersive environment to promote creativity, collaboration, and problem-solving 
+
+With Microsoft Education, schools can:
+- **Use affordable devices and simple setup** - Boost creativity and get started instantly with Windows 10 devices that support Windows Ink. Set up devices in minutes and stay in control with the new Intune for Education.
+- **Collaborate in a modern classroom** - Help students become career-ready with Office apps like Word, Excel, PowerPoint, and OneNote. Increase comprehension and outcomes with the most advanced teaching apps like integrated Learning Tools.
+- **Go beyond the browser with inspiring apps for classroom learning** - Inspire with Minecraft: Education Edition and innovative apps from the Microsoft Store for Education.
+
+Go to the <a href="https://www.microsoft.com/en-us/education" target="_blank">Microsoft Education site</a> to learn more. See <a href="https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools" target="_blank">How to buy</a> to learn about pricing and purchasing options for schools, students, and teachers as well as academic pricing and offers for qualified K-12 and higher education institutions.
+
+## What we're doing
+In this walkthrough, we'll show you the basics on how to:
+> [!div class="checklist"]
+> * Acquire an Office 365 for Education tenant, if you don't already have one
+> * Import school, student, teacher, and class data using School Data Sync (SDS)
+> * Deploy Microsoft Teams to enable groups and teams in your school to communicate and collaborate
+> * Manage apps and settings deployment with Intune for Education
+> * Acquire additional apps in Microsoft Store for Education
+> * Use the Set up School PCs app to quickly set up and provision your Windows 10 education devices
+> * Log in and use the devices
+
+This diagram shows a high-level view of what we cover in this walkthrough. The numbers correspond to the sections in the walkthrough and roughly correspond to the flow of the overall process; but, note that not all sections in this walkthrough are shown in the diagram.
+
+**Figure 1** - Microsoft Education IT administrator workflow
+
+![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft_education_it_getstarted_workflow.png)
+
+## Prerequisites
+Complete these tasks before you start the walkthrough:
+- Make sure all the devices that you want to configure, such as student PCs, have the latest Windows 10, version 1703 image installed.
+
+  We recommend Windows 10, version 1703 to take advantage of all the new features and functionality that Windows supports. This version of Windows is also compatible with the latest version of the Set up School PCs app and the versions must match in order for Set up School PCs to provision the devices. 
+
+  If you don't have Windows 10, version 1703 installed on your devices, we recommend upgrading. This process takes a while so start this task before proceeding with this walkthrough. 
+
+- Have an education-verified tenant to qualify for an Office 365 for Education subscription. You also need to be education-verified to use School Data Sync and Intune for Education.
+
+  If you don't have an education-verified domain, don't worry. We'll show you the steps on how to do this. 
+
+  > [!NOTE] 
+  > If you need to get education-verified, it may take up to two weeks for the verification process to be completed.
+
+## Setup options
+ To make sure you have a successful experience with deploying and managing a full cloud IT solution with Microsoft Education, select the scenario that best describes your school or how you'd like to get started.
+
+
+| [Get started with Microsoft Education in production environment](#noo365prodenv) | [Try out Microsoft Education in trial environment](#noo365trialenv) | [School uses Office 365, try out Intune for Education now](#schooluseso365tryi4e) | 
+| ----------------------------------------- | ------------------------------------------------ | ---------------------------------------------- |
+| * My school doesn't use Office 365 for Education | * My school doesn't use Office 365 for Education | * My school uses Office 365 for Education |
+| * My school is not an education-verified tenant | * My school is not an education-verified tenant | * My school is an education-verified tenant |
+| * I would like to get started with Microsoft Education in a production environment | * I would like to try out Microsoft Education in a trial environment | * I would like to apply the Intune for Education trial code to my school's production environment |
+| * Longest, need to start from scratch | * Simplest, but may take longer to start | * Fastest, Office 365 and SDS already set up |
+
+
+### <a name="noo365prodenv"></a>Option 1: Get started with Microsoft Education in a production environment
+Trying out Microsoft Education in a production environment means you'll be using real school data as you evaluate the features and tools. This requires more time to get fully set up and going. 
+
+To get started with Microsoft Education in a production environment:
+
+* Go to <a href="https://aka.ms/sdssignup" target="_blank">https://aka.ms/sdssignup</a> and fill out the form to sign up for School Data Sync and receive a free, one-on-one support from Microsoft.
+
+  A team from Microsoft will contact you to help get started with Microsoft Education. 
+
+If you want a quicker way to evaluate Microsoft Education, you can [use a trial environment instead](#noo365trialenv).
+
+### <a name="noo365trialenv"></a>Option 2: Try out Microsoft Education in a trial environment
+Once you get an Office 365 education-verified tenant, trying out Microsoft Education in a trial environment is an easy way to evaluate all the features and tools. Here, you'll use promo codes and sample files as you follow the walkthrough. 
+
+To get started with Microsoft Education in a trial environment, follow these steps.
+
+1. [Set up a new Office 365 for Education tenant](#1-set-up-a-new-office-365-for-education-tenant).
+
+  Wait for your tenant to be education-verified before proceeding with the next step. Verification can take up to a few days.
+
+2. Once you have an education-verified tenant, click <a href="https://aka.ms/intuneforedupreviewtrial" target="_blank">https://aka.ms/intuneforedupreviewtrial</a> to apply the Intune for Education trial promo code. 
+  1. In the Intune for Education Trial page, on the upper right, click **Sign in** next to **Want to add this to an existing subscription?**.
+  2. Sign in with your global admin credentials. 
+
+3. Sign in to <a href="https://portal.office.com/adminportal" target="_blank">Office 365 admin portal</a> and:
+  1. Select **Admin > Users** and then search for your admin account. 
+  2. In the user page, select **Product licenses** and expand the **Office 365 Education** license you assigned to yourself. 
+  3. Confirm that School Data Sync is turned on.
+
+3. Skip ahead and follow the rest of the instructions in this walkthrough beginning with [2. Use School Data Sync to import student data](#2-use-school-data-sync-to-import-student-data).
+
+### <a name="schooluseso365tryi4e"></a>Option 3: Try out Intune for Education
+Already have an Office 365 for Education verified tenant? Just sign in with your global admin credentials to apply the Intune for Education preview trial code to your tenant and follow the rest of the walkthrough.
+
+1. Click <a href="https://aka.ms/intuneforedupreviewtrial" target="_blank">https://aka.ms/intuneforedupreviewtrial</a> to get started.
+2. In the **Intune for Education Trial** page, on the upper right, click **Sign in** next to **Want to add this to an existing subscription?**.
+
+  **Figure 2** - Intune for Education trial sign in page
+
+  ![Intune for Education trial sign in page](images/i4e_trialsigninpage.png)
+
+3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant.
+4. If you don't already have Microsoft Teams deployed to your tenant, you can start with [3. Enable Microsoft Teams for your school](#3-enable-microsoft-teams-for-your-school) and then follow the rest of the instructions in this walkthrough. 
+
+## 1. Set up a new Office 365 for Education tenant
+Schools can use Office 365 to save time and be more productive. Built with powerful tools and accessible from any device, setting it up is the first step in getting your school to the cloud. 
+
+Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
+
+1. Go to the <a href="https://signup.microsoft.com/Signup?OfferId=03ee83a5-5cb4-4545-aca9-33ead43f222a,d764709a-7763-45ef-a2a8-db5b8b6ae704&DL=ENTERPRISEPREMIUM_FACULTY" target="_blank">Office 365 for Education sign up page</a> to sign up for a free subscription for your school.
+2. Create an account and a user ID and password to use to sign into your account. 
+
+  **Figure 3** - Office 365 account creation
+
+  ![Create an Office 365 account](images/o365_createaccount.png)
+
+3. Save your sign-in info so you can use it to sign in to <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the sign-in page). Click **You're ready to go...** 
+4. In the **Verify eligibility for Microsoft Office 365 for Education** screen:
+  1. Add your domain name and follow the steps to confirm ownership of the domain. 
+  2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain.
+ 
+    In some cases, you may need to wait several hours for the DNS verification to complete. You can click **I'll verify later** and come back later and log into the Office 365 portal and then go to the **Admin** center and select **Domains** to check the status entry for your domain.
+
+    You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant.  
+
+As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [7.3 Complete Office 365 for Education setup](#73-complete-office-365-education-setup) for info.
+
+
+## 2. Use School Data Sync to import student data
+School Data Sync (SDS) helps you import Student Information System (SIS) data into Office 365. It helps automate the process for importing and integrating SIS data that you can use with Office 365 and apps like OneNote Class Notebooks. 
+
+Follow all the steps in this section to use SDS and sample CSV files in a trial environment. To use SDS in a production environment, see step 2 in [Try out Microsoft Education in a production environment](#noo365prodenv) instead.
+
+**<a name="downloadcsvsamples"></a>Download sample school data**
+
+1. Go to the <a href="https://aka.ms/sdsscripts" target="_blank">O365-EDU-Tools GitHub site</a>.
+2. Click the green **Clone or download** button to download the SDS sample files.
+
+  **Figure 4** - Download the SDS sample files from GitHub
+
+  ![Download the SDS sample files from GitHub](images/sds_github_downloadsample.png)
+
+3. In the **Clone with HTTPS** pop-up window, choose **Download ZIP** and note the location where you're saving the folder.
+4. Go to the folder where you saved the .zip and unzip the files.
+5. Open the **O365-EDU-Tools-master** folder and then open the **CSV Samples** subfolder. Confirm that you can see the following sample CSV files.
+
+  **Figure 5** - Sample CSV files
+
+  ![Use the sample CSV files](images/sds_sample_csv_files_us_uk.png)
+
+  > [!NOTE] 
+  > - The sample CSV files uses sample accounts and passwords. If you are using the sample files for testing, remember the accounts and their corresponding passwords. You may be asked to change the password during your first sign in. 
+  > - If you are modifying the sample CSV files to use in your organization, change the accounts and passwords to match the user accounts and passwords in your organization.
+  > - If you are using CSV files from your existing production environment, see the detailed instructions in step 5 in the next section.
+
+To learn more about the CSV files that are required and the info you need to include in each file, see <a href="https://aka.ms/sdscsvattributes" target="_blank">CSV files for School Data Sync</a>. If you run into any issues, see <a href="https://aka.ms/sdserrors" target="_blank">School Data Sync errors and troubleshooting</a>.
+
+**<a name="usesdstoimportdata"></a>Use SDS to import student data**
+
+1. If you haven't done so already, go to the SDS portal, <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
+2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**.
+
+  **Figure 6** - Settings for managing SDS
+
+  ![Settings for managing SDS](images/sds_settings_manage_sds_firstsignin.png)
+
+3. Turn on **School Data Sync**. You will get a notification that it is turned on. Click **OK**.
+
+  New menu options will appear on the left of the SDS portal.
+
+  **Figure 7** - New menu options appear after SDS is turned on
+
+  ![New menu options appear after SDS is turned on](images/sds_sds_on_newmenuitemsappear.png)
+
+4. Click **+ Add Profile** from the sync dashboard or from the menu on the left to start syncing school data.
+
+  This opens up the new profile setup wizard within the main page.
+
+  **Figure 8** - New SDS profile setup wizard
+
+  ![New SDS profile setup wizard](images/sds_add_new_profile_062317.png)
+
+5. For the new profile, in the **How do you want to connect to your school?** screen:
+  1. Enter a name for your profile, such as *Contoso_Elementary_Profile*.
+  2. Select a sync method for your profile. For this walkthrough, select **Upload CSV Files**.
+  3. Select the type of CSV files that you're using. For this walkthrough, select **CSV files: SDS Format**.  
+  4. Click **Start**.
+
+6. In the **Sync options** screen:
+  1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
+  2. In the **Import data** section:
+    1. Click **Upload Files** to bring up the **Select data files to be uploaded** window.
+    2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
+    3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
+    4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
+
+      > [!NOTE]
+      > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified.
+
+    5. After all the files are successfully uploaded, click **OK**. 
+
+  3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
+  4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
+  5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
+  6. In the **Student enrollment option** section:
+    * If you want to sync your student roster data immediately, leave the box unchecked.
+    * If you prefer to sync student enrollment/rostering data at a later date, check this box and then pick a date by clicking the empty box and selecting the appropriate date in the calendar when you would like to begin syncing your student roster data. Some schools prefer to delay syncing student roster data so they don't expose rosters before the start of the new term, semester, or school year.  
+  7. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education.
+  8. Click **Next**.
+
+    **Figure 9** - Sync options for the new profile
+
+    ![Specify sync options for the new SDS profile](images/sds_profile_sync_options_062317.png)
+
+7. In the **Teacher options** screen:
+  1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created.
+  2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
+  3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For example, **STANDARDWOFFPACK_FACULTY**.
+  4. Click **Next**.
+
+    **Figure 10** - Specify options for teacher mapping
+
+    ![Specify options for teacher mapping](images/sds_profile_teacher_options_062317.png)
+
+8. In the **Student options** screen:
+  1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created.
+  2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
+  3. In the **Student licenses** section, choose the SKU to assign licenses for students. For example, **STANDARDWOFFPACK_STUDENT**.
+  4. Click **Next**.
+
+    **Figure 11** - Specify options for student mapping
+
+    ![Specify options for student mapping](images/sds_profile_student_options_062317.png)
+
+9. In the profile **Review** page, review the summary and confirm that the options selected are correct. 
+10. Click **Create profile**. You will see a notification that your profile is being submitted and then you will see a page for your profile. 
+
+  **Figure 12** - SDS profile page
+
+  ![SDS profile page](images/sds_profile_profilepage_settingup_062317.png) 
+
+11. After the profile is created and the status indicates as **Setting up**, refresh the page until you see the status change to **Sync in progress**. Beneath the **Sync in progress** status, you will see which of the 5 sync stages SDS is working on:
+  * Stage 1 - Validating data
+  * Stage 2 - Processing schools and sections
+  * Stage 3 - Processing students and teachers
+  * Stage 4 - Adding students and teachers into sections
+  * Stage 5 - Setting up security groups
+
+  If you don't see a **Sync in progress** status on the sync profile, and receive an error message instead, this indicates that SDS has encountered data issues during the pre-sync validation check and has not started syncing your data. This gives you the opportunity to fix the errors identified by the pre-sync validation checks before continuing. Once you've fixed any errors or if you prefer to continue with the errors and begin syncing your data anyway, click the **Resume sync** button to start the sync process.
+
+  Once you've completed all five sync stages, your profile status will update one final time. 
+    * If you haven't encountered any errors, you will see a green check mark which states **Everything is ok**, and the profile status will change to **Sync complete. Ready for more data.** 
+    * If SDS encountered sync errors, you will see a red status icon that indicates an error, and a profile status of **Sync complete. Profile contains multiple errors**. Download the available error report to identify and fix your sync errors. Once complete, upload new files as needed and re-sync your data until errors are resolved.
+
+  Here are some examples of what the sync status can look like:
+
+  **Figure 13** - New profile: Sync in progress
+
+  ![Sync in progress for the new profile](images/sds_profile_status_syncinprogress_062317.png)
+
+  **Figure 14** - New profile: Sync complete - no errors
+
+  ![New profile sync complete with no errors](images/sds_profile_status_everythingok_062317.png)
+
+  **Figure 15** - New profile: Sync complete - with errors
+
+  ![New profile sync complete with errors](images/sds_profile_status_syncerrors_062317.png)
+
+  Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time.
+
+  You can refresh the page to confirm that your profile synced successfully.
+
+That's it for importing sample school data using SDS.
+
+## 3. Enable Microsoft Teams for your school
+Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education. 
+
+To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school. 
+
+**Enable Microsoft Teams for your school**
+
+1. Sign in to <a href="https://portal.office.com" target="_blank">Office 365</a> with your work or school account.
+2. Click **Admin** to go to the Office 365 admin center.
+3. Go to **Settings > Services & add-ins**.
+4. On the **Services & add-ins** page, select **Microsoft Teams**.
+
+  **Figure 16** - Select Microsoft Teams from the list of services & add-ins
+
+  ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
+
+5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. Select **Faculty and Staff**.
+
+  **Figure 17** - Select the license that you want to configure
+
+  ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
+
+6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
+
+  **Figure 18** - Turn on Microsoft Teams for your organization
+
+  ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
+
+7. Click **Save**.
+
+You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
+
+## 4. Configure Microsoft Store for Education
+You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
+
+**Associate your Microsoft Store account with Intune for Education**
+
+1. Sign in to <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
+2. Accept the Microsoft Store for Business and Education Services Agreement. 
+
+  This will take you to the Microsoft Store for Education portal.
+
+  **Figure 19** - Microsoft Store for Education portal
+
+  ![Microsoft Store for Education portal](images/msfe_store_portal.png)
+
+3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
+4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
+
+  **Figure 20** - Select management tools from the list of Store settings options
+
+  ![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
+
+4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
+
+  **Figure 21** - Activate Intune for Education as the management tool
+
+  ![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png) 
+
+Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
+
+## 5. Use Intune for Education to manage groups, apps, and settings
+Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the <a href="https://docs.microsoft.com/intune-education" target="_blank">Intune for Education documentation</a>. 
+
+### Example - Set up Intune for Education, buy apps from the Store, and install the apps
+In this walkthrough, we'll go through a sample scenario and walk you through the steps to:
+- [Use express configuration to quickly set up Intune for Education](#setupintune)
+- [Use Intune for Education to buy apps from the Microsoft Store for Education](#addappsfrommsfe)
+- [Use Intune for Education to install the apps for all users in your tenant](#installappsallusers)
+
+Note that for verified education tenants, Microsoft automatically provisions your app catalog with these apps so you will see them appear on your Intune for Education catalog even before you've bought any apps:
+- Excel 
+- Fresh Paint
+- Minecraft: Education Edition
+- OneNote
+- PowerPoint
+- Sway
+- Word
+
+  > [!NOTE]
+  > Apps that you own in the Microsoft Store for Education are automatically available in Intune for Education. Any changes you make to your purchases get reflected in Intune for Education.
+
+
+**<a name="setupintune"></a>Set up Intune for Education**
+
+Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here.
+
+1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. You will see the Intune for Education dashboard once you're logged in.
+
+  **Figure 22** - Intune for Education dashboard
+
+  ![Intune for Education dashboard](images/i4e_portal.png)
+
+2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
+3. In the **Welcome to Intune for Education** screen, click **Get started**.
+  
+  **Figure 23** - Click Get started to set up Intune for Education
+
+  ![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
+
+4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
+
+  **Figure 24** - SDS is configured
+
+  ![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
+
+5. In the **Choose group** screen, select **All Users**. All apps and settings that we select during express setup will apply to this group. 
+
+  You can choose another group during this step, but note that your experience may vary from what we show in the walkthrough.
+
+6. The **Next** button will appear at the bottom of the screen after you select **All Users**. Click **Next**.
+
+  > [!TIP]
+  > At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
+  >
+  > **Figure 25** - Click on the buttons to go back to that step
+  >
+  > ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
+
+7. In the **Choose apps** screen, you will see a selection of Web apps, Microsoft Store apps, and desktop (Win32) apps. You will also see a list of popular apps from each category. 
+
+  - Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in the **Choose group** step.
+  
+    In this walkthrough, it's up to you to select the apps you choose to install. Just remember what they are so that later in the walkthrough you can verify that the apps were installed correctly on the device.
+
+    > [!TIP]
+    > Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
+
+  **Figure 26** - Choose the apps that you want to install for the group
+
+  ![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
+
+8. When you're done choosing apps, click **Next** at the bottom of the screen.
+
+  If you select Microsoft Store apps, you will see a notification that Intune for Education is getting these apps.
+
+8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
+
+  **Figure 27** - Expand the settings group to get more details
+
+  ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
+
+9. For this walkthrough, set the following settings:
+  - In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
+  - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
+
+  **Figure 28** - Set some additional settings
+
+  ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
+
+10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
+
+  **Figure 29** - Review the group, apps, and settings you configured
+
+  ![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
+
+11. Click **Save** to end express configuration.
+12. You will see the **You're done!** screen which lets you choose one of two options. 
+
+  **Figure 30** - All done with Intune for Education express configuration
+
+  ![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
+
+13. Click **All done** or click the **X** on the upper-right corner of the screen to dismiss this screen and go back to the dashboard.
+
+
+**<a name="addappsfrommsfe"></a>Add apps bought from Microsoft Store for Education**
+
+- **Example 1 - Minecraft: Education Edition**
+
+  If you would like to purchase Minecraft: Education Edition or want to learn how to get, distribute, and manage permissions for Minecraft: Education Edition, see <a href="https://docs.microsoft.com/education/windows/school-get-minecraft" target="_blank">For IT administrators - get Minecraft: Education Edition</a>.
+
+- **Example 2 - Free educational/reference apps**
+
+  1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click **Apps** from the menu on the left.
+
+    **Figure 31** - Click on **Apps** to see the list of apps for your tenant
+
+    ![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
+
+  2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
+
+    **Figure 32** - Select the option to add a new Store app
+
+    ![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
+
+  3. In the Microsoft Store page, check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express setup for Intune for Education.
+  
+    For example, these apps are free:
+    - Duolingo - Learn Languages for Free
+    - Flashcards Pro 
+    - Khan Academy
+    - My Study Life
+
+  4. Find or select the app you want to install and click **Get the app**.
+  5. In the app's Store page, click the **...** button and select **Add to private store**.
+  6. Repeat steps 3-5 to install another app or move to the next step.
+  7. In the Microsoft Store for Education portal, select **Manage > Apps & software > Manage apps** to verify that the apps you purchased appear in your inventory.
+
+    For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
+
+    **Figure 33** - Apps inventory in Microsoft Store for Education
+
+    ![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
+
+    In the **Private store** column of the **Apps & software** page, the status for some apps will indicate that it's "In private store" while others will say "Not in private store". We won't go over this in the walkthrough, but you can learn more about this in <a href="https://docs.microsoft.com/microsoft-store/distribute-apps-from-your-private-store" target="_blank">Distribute apps using your private store</a>.
+
+    > [!NOTE]  
+    > You'll see in the above screenshot that some apps say that **Add is in progress**. Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune for Education to sync all your purchased apps. 
+
+**<a name="installappsallusers"></a>Install apps for all users**
+
+Now that you've bought the apps, use Intune for Education to specify the group to install the apps for. Here, we'll show you how to install the apps you bought for all devices used by all users in your tenant. 
+
+1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click the **Groups** option from the menu on the left.
+
+  **Figure 34** - Groups page in Intune for Education
+
+  ![Groups page in Intune for Education](images/i4e_groupspage.png)
+
+2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page. 
+
+  **Figure 35** - List of all users in the tenant
+
+  ![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
+
+3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
+
+  **Figure 36** - Edit apps to assign them to users
+
+  ![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
+
+4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select. 
+
+  **Figure 37** - Select the apps to deploy to the group
+
+  ![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
+
+5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
+6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected. 
+
+  **Figure 38** - Updated list of assigned apps
+
+  ![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
+
+You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
+
+## 6. Set up Windows 10 devices
+
+### 6.1 Set up devices using Set up School PCs or Windows OOBE
+We recommend using the latest build of Windows 10, version 1703 on your education devices. To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options:
+- **Option 1: [Use the Set up School PCs app](#usesetupschoolpcs)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
+- **Option 2: [Go through Windows OOBE and join the device to Azure AD](#usewindowsoobandjoinaad)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
+
+**<a name="usesetupschoolpcs"></a>Option 1: Set up a device using the Set up School PCs app**
+
+IT administrators and technical teachers can use the Set up School PCs app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
+
+![Set up School PCs app](images/suspc_getstarted_050817.png)
+
+Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically:
+- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant
+- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM.
+- Removes OEM preinstalled software from each student PC
+- Auto-configures and saves a wireless network profile on each student PC
+- Gives a friendly and unique name to each student device for future management
+- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup
+- Enables optional guest account for younger students, lost passwords, or visitors
+- Enables optional secure testing account
+- Locks down the student PC to prevent mischievous activity:
+    * Prevents students from removing the PC from the school's device management system
+    * Prevents students from removing the Set up School PCs settings
+- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours
+- Customizes the Start layout with Office
+- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more
+- Uninstalls apps not specific to education, such as Solitaire
+- Prevents students from adding personal Microsoft accounts to the PC
+
+**To set up a device using the Set up School PCs app**
+
+1. Follow the steps in <a href="https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app" target="_blank">Use the Set up School PCs app</a> to quickly set up one or more student PCs.
+2. Follow the steps in [5.2 Verify correct device setup](#52-verify-correct-device-setup).
+
+
+**<a name="usewindowsoobandjoinaad"></a>Option 2: Set up a device using Windows OOBE**
+
+1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
+2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
+
+  **Figure 39** - Let's start with region
+
+  ![Let's start with region](images/win10_letsstartwithregion.png)
+
+3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
+
+  **Figure 40** - Select setup for an organization
+
+  ![Select setup for an organization](images/win10_setupforanorg.png)
+
+4. Sign in using the user's account and password. Depending on the user password setting, you may be prompted to update the password.
+5. Choose privacy settings for the device. Location, speech recognition, diagnostics, and other settings are all on by default. Configure the settings based on the school's policies. 
+6. Click **Accept** to go through the rest of device setup.
+
+
+### 6.2 Verify correct device setup
+Verify that the device is set up correctly and boots without any issues.
+
+**Verify that the device was set up correctly**
+1. Confirm that the Start menu contains a simple configuration.
+2. Confirm that the Store and built-in apps are installed and working. The apps pushed down from Intune for Education will appear under **Recently added**. 
+
+  > [!NOTE]  
+  > It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
+
+  **Figure 41** - Sample list of apps for a user
+
+  ![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
+
+### 6.3 Verify the device is Azure AD joined
+Let's now verify that the device is joined to your organization's Azure AD and shows up as being managed in Microsoft Intune for Education.
+
+**Verify if the device is joined to Azure AD**
+1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
+2. Select **Groups** and select **All Devices**.
+3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
+
+  **Figure 42** - List of all managed devices
+
+  ![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
+
+4. On the Windows 10 education device, click **Start** and go to **Settings**. 
+5. Select **Accounts > Access work or school**.
+6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
+
+  **Figure 43** - Confirm that the Windows 10 device is joined to Azure AD
+
+  ![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
+
+**That's it! You're done!** You've completed basic cloud setup, deployment, and management using Microsoft Education. You can continue follow the rest of the walkthrough to finish setup and complete other tasks.
+
+
+## 7. Finish setup and other tasks
+
+### 7.1 Update group settings in Intune for Education
+If you need to make changes or updates to any of the apps or settings for the group(s), follow these steps.
+
+1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
+2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
+3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
+
+  **Figure 44** - See the list of available settings in Intune for Education
+
+  ![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
+
+4. Keep the default settings or configure the settings according to your school's policies. 
+
+  For example, you can configure the diagnostic data sent to Microsoft in **Basic device settings > Send diagnostic data**. 
+
+5. Click **Save** or **Discard changes**.
+
+### 7.2 Configure Azure settings
+After completing the basic setup for your cloud infrastructure and confirming that it is up and running, it's time to prepare for additional devices to be added and enable capabilities for the user to use.
+
+#### Enable many devices to be added by a single person 
+When a device is owned by the school, you may need to have a single persion adding many devices to your cloud infrastructure. 
+
+Follow the steps in this section to enable a single person to add many devices to your cloud infrastructure.
+
+1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
+2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
+3. Select **Azure Active Directory > Users and groups > Device settings**.
+
+  **Figure 45** - Device settings in the new Azure portal
+
+  ![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
+
+4. Find the setting **Maximum number of devices per user** and change the value to **Unlimited**.
+5. Click **Save** to update device settings.
+
+#### Enable roaming settings for users
+When students move from using one device to another, they may need to have their settings roam with them and be made available on other devices. 
+
+Follow the steps in this section to ensure that settings for the each user follow them when they move from one device to another.
+
+1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
+3. Go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
+3. Select **Azure Active Directory > Users and groups > Device settings**.
+4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
+
+  **Figure 46** - Enable settings to roam with users
+
+  ![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
+
+5. Click **Save** to update device settings.
+
+### 7.3 Complete Office 365 for Education setup
+Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/en-US/Article/set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
+
+### 7.4 Add more users
+After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
+
+See <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" target="_blank">Add users to Office 365</a> to learn more. Once you're done adding new users, go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a> and verify that the same users were added to the Intune for Education groups as well.
+
+### 7.5 Connect other devices to your cloud infrastructure
+Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [6. Set up Windows 10 devices](#6-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
+
+  > [!NOTE]  
+  > These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device.
+
+**To connect a personal device to your work or school**
+
+1. On your Windows device, go to **Settings > Accounts**.
+2. Select **Access work or school** and then click **Connect** in the **Connect to work or school** page.
+3. In the **Set up a work or school account** window, enter the user's account info.
+
+  For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
+
+  **Figure 47** - Device is now managed by Intune for Education
+
+  ![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
+
+4. Enter the account password and then click **Sign in** to authenticate the user.
+
+   Depending on the organization's policy, the user may be asked to update the password.
+
+5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
+
+  **Figure 48** - Device is connected to organization's MDM
+
+  ![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
+
+6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [6.3 Verify the device is Azure AD joined](#63-verify-the-device-is-azure-ad-joined). 
+
+  It may take several minutes before the new device shows up so check again later.
+
+
+## Get more info
+
+### Microsoft Education documentation and resources hub
+See the <a href="https://docs.microsoft.com/education" target="_blank">Microsoft Education documentation and resources</a> hub for links to more content for IT admins, teachers, students, and education app developers.
+
+### Info related to this walkthrough
+
+**For IT admins**
+
+To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
+- <a href="https://docs.microsoft.com/education/windows/education-scenarios-store-for-business" target="_blank">Working with Microsoft Store for Education</a>
+- *Resources for anyone who uses Office 365* and *Resources for admins* in <a href="https://support.office.com/en-US/article/Get-started-with-Office-365-Education-AB02ABE5-A1EE-458C-B749-5B44416CCF14" target="_blank">Get started with Office 365 for Education</a>
+- School Data Sync deployment options
+  - Deployment using CSV files: <a href="https://aka.ms/sdscsv" target="_blank">How to deploy School Data Sync by using CSV files</a> and <a href="https://aka.ms/sdscsvattributes" target="_blank">CSV files for School Data Sync</a>
+  - Deployment using PowerSchool Sync: <a href="https://aka.ms/sdspowerschool" target="_blank">How to deploy School Data Sync by using PowerSchool Sync</a> and <a href="https://aka.ms/sdspowerschoolattributes" target="_blank">School Data Sync required attributes for PowerSchool Sync</a>
+  - Deployment using Clever Sync: <a href="https://aka.ms/sdsclever" target="_blank">How to deploy School Data Sync by using Clever Sync</a> and <a href="https://aka.ms/sdscleverattributes" target="_blank">School Data Sync required attributes for Clever sync</a>
+  - Deployment using OneRoster CSV files: <a href="https://aka.ms/sdsoneroster" target="_blank">How to deploy School Data Sync by using OneRoster CSV files</a>
+
+**For teachers**
+
+Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info:
+- *Resources for anyone who uses Office 365* in <a href="https://support.office.com/en-US/article/Get-started-with-Office-365-Education-AB02ABE5-A1EE-458C-B749-5B44416CCF14" target="_blank">Get started with Office 365 for Education</a>
+- <a href="https://education.microsoft.com/windows-10-online-resources-for-teachers" target="_blank">Windows 10 online resources for teachers</a>
+
+
+
+
diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md
index 78b9e46ccf..51de907eef 100644
--- a/education/get-started/get-started-with-microsoft-education.md
+++ b/education/get-started/get-started-with-microsoft-education.md
@@ -6,11 +6,11 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.topic: hero-article
-localizationpriority: high
+ms.localizationpriority: high
 ms.pagetype: edu
 author: CelesteDG
 ms.author: celested
-ms.date: 06/26/2017
+ms.date: 08/29/2017
 ---
 
 # Get started: Deploy and manage a full cloud IT solution with Microsoft Education
@@ -43,20 +43,20 @@ With Microsoft Education, schools can:
 Go to the <a href="https://www.microsoft.com/en-us/education" target="_blank">Microsoft Education site</a> to learn more. See <a href="https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools" target="_blank">How to buy</a> to learn about pricing and purchasing options for schools, students, and teachers as well as academic pricing and offers for qualified K-12 and higher education institutions.
 
 ## What we're doing
-In this walkthrough, we'll show you the basics on how to:
-- Acquire an Office 365 for Education tenant, if you don't already have one
-- Import school, student, teacher, and class data using School Data Sync (SDS)
-- Deploy Microsoft Teams to enable groups and teams in your school to communicate and collaborate
-- Manage apps and settings deployment with Intune for Education
-- Acquire additional apps in Microsoft Store for Education
-- Use the Set up School PCs app to quickly set up and provision your Windows 10 education devices
-- Log in and use the devices
+The end-to-end process for deploying and managing a full cloud IT solution with Microsoft Education is outlined here. Depending on your [setup scenario](#setup-options), you may not need to implement all these steps. 
 
-This diagram shows a high-level view of what we cover in this walkthrough. The numbers correspond to the sections in the walkthrough and roughly correspond to the flow of the overall process; but, note that not all sections in this walkthrough are shown in the diagram.
+Click the link to watch the video or follow the step-by-step guidance for each.
+
+1. [Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
+2. [Use School Data Sync to import student data](use-school-data-sync.md)
+3. [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+4. [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+5. [Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
+6. [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md)
 
 **Figure 1** - Microsoft Education IT administrator workflow
 
-![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft_education_it_getstarted_workflow.png)
+![Deploy and manage a full cloud IT solution using Microsoft Education](images/MSES_Get_Started_IT_082917.png)
 
 ## Prerequisites
 Complete these tasks before you start the walkthrough:
@@ -101,7 +101,7 @@ Once you get an Office 365 education-verified tenant, trying out Microsoft Educa
 
 To get started with Microsoft Education in a trial environment, follow these steps.
 
-1. [Set up a new Office 365 for Education tenant](#1-set-up-a-new-office-365-for-education-tenant).
+1. [Set up a new Office 365 for Education tenant](set-up-office365-edu-tenant.md).
 
   Wait for your tenant to be education-verified before proceeding with the next step. Verification can take up to a few days.
 
@@ -114,7 +114,7 @@ To get started with Microsoft Education in a trial environment, follow these ste
   2. In the user page, select **Product licenses** and expand the **Office 365 Education** license you assigned to yourself. 
   3. Confirm that School Data Sync is turned on.
 
-3. Skip ahead and follow the rest of the instructions in this walkthrough beginning with [2. Use School Data Sync to import student data](#2-use-school-data-sync-to-import-student-data).
+3. Skip ahead and follow the rest of the instructions in this walkthrough beginning with [Use School Data Sync to import student data](use-school-data-sync.md).
 
 ### <a name="schooluseso365tryi4e"></a>Option 3: Try out Intune for Education
 Already have an Office 365 for Education verified tenant? Just sign in with your global admin credentials to apply the Intune for Education preview trial code to your tenant and follow the rest of the walkthrough.
@@ -127,613 +127,7 @@ Already have an Office 365 for Education verified tenant? Just sign in with your
   ![Intune for Education trial sign in page](images/i4e_trialsigninpage.png)
 
 3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant.
-4. If you don't already have Microsoft Teams deployed to your tenant, you can start with [3. Enable Microsoft Teams for your school](#3-enable-microsoft-teams-for-your-school) and then follow the rest of the instructions in this walkthrough. 
-
-## 1. Set up a new Office 365 for Education tenant
-Schools can use Office 365 to save time and be more productive. Built with powerful tools and accessible from any device, setting it up is the first step in getting your school to the cloud. 
-
-Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
-
-1. Go to the <a href="https://signup.microsoft.com/Signup?OfferId=03ee83a5-5cb4-4545-aca9-33ead43f222a,d764709a-7763-45ef-a2a8-db5b8b6ae704&DL=ENTERPRISEPREMIUM_FACULTY" target="_blank">Office 365 for Education sign up page</a> to sign up for a free subscription for your school.
-2. Create an account and a user ID and password to use to sign into your account. 
-
-  **Figure 3** - Office 365 account creation
-
-  ![Create an Office 365 account](images/o365_createaccount.png)
-
-3. Save your sign-in info so you can use it to sign in to <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the sign-in page). Click **You're ready to go...** 
-4. In the **Verify eligibility for Microsoft Office 365 for Education** screen:
-  1. Add your domain name and follow the steps to confirm ownership of the domain. 
-  2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain.
- 
-    In some cases, you may need to wait several hours for the DNS verification to complete. You can click **I'll verify later** and come back later and log into the Office 365 portal and then go to the **Admin** center and select **Domains** to check the status entry for your domain.
-
-    You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant.  
-
-As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [7.3 Complete Office 365 for Education setup](#73-complete-office-365-education-setup) for info.
-
-
-## 2. Use School Data Sync to import student data
-School Data Sync (SDS) helps you import Student Information System (SIS) data into Office 365. It helps automate the process for importing and integrating SIS data that you can use with Office 365 and apps like OneNote Class Notebooks. 
-
-Follow all the steps in this section to use SDS and sample CSV files in a trial environment. To use SDS in a production environment, see step 2 in [Try out Microsoft Education in a production environment](#noo365prodenv) instead.
-
-**<a name="downloadcsvsamples"></a>Download sample school data**
-
-1. Go to the <a href="https://aka.ms/sdsscripts" target="_blank">O365-EDU-Tools GitHub site</a>.
-2. Click the green **Clone or download** button to download the SDS sample files.
-
-  **Figure 4** - Download the SDS sample files from GitHub
-
-  ![Download the SDS sample files from GitHub](images/sds_github_downloadsample.png)
-
-3. In the **Clone with HTTPS** pop-up window, choose **Download ZIP** and note the location where you're saving the folder.
-4. Go to the folder where you saved the .zip and unzip the files.
-5. Open the **O365-EDU-Tools-master** folder and then open the **CSV Samples** subfolder. Confirm that you can see the following sample CSV files.
-
-  **Figure 5** - Sample CSV files
-
-  ![Use the sample CSV files](images/sds_sample_csv_files_us_uk.png)
-
-  > [!NOTE] 
-  > - The sample CSV files uses sample accounts and passwords. If you are using the sample files for testing, remember the accounts and their corresponding passwords. You may be asked to change the password during your first sign in. 
-  > - If you are modifying the sample CSV files to use in your organization, change the accounts and passwords to match the user accounts and passwords in your organization.
-  > - If you are using CSV files from your existing production environment, see the detailed instructions in step 5 in the next section.
-
-To learn more about the CSV files that are required and the info you need to include in each file, see <a href="https://aka.ms/sdscsvattributes" target="_blank">CSV files for School Data Sync</a>. If you run into any issues, see <a href="https://aka.ms/sdserrors" target="_blank">School Data Sync errors and troubleshooting</a>.
-
-**<a name="usesdstoimportdata"></a>Use SDS to import student data**
-
-1. If you haven't done so already, go to the SDS portal, <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
-2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**.
-
-  **Figure 6** - Settings for managing SDS
-
-  ![Settings for managing SDS](images/sds_settings_manage_sds_firstsignin.png)
-
-3. Turn on **School Data Sync**. You will get a notification that it is turned on. Click **OK**.
-
-  New menu options will appear on the left of the SDS portal.
-
-  **Figure 7** - New menu options appear after SDS is turned on
-
-  ![New menu options appear after SDS is turned on](images/sds_sds_on_newmenuitemsappear.png)
-
-4. Click **+ Add Profile** from the sync dashboard or from the menu on the left to start syncing school data.
-
-  This opens up the new profile setup wizard within the main page.
-
-  **Figure 8** - New SDS profile setup wizard
-
-  ![New SDS profile setup wizard](images/sds_add_new_profile_062317.png)
-
-5. For the new profile, in the **How do you want to connect to your school?** screen:
-  1. Enter a name for your profile, such as *Contoso_Elementary_Profile*.
-  2. Select a sync method for your profile. For this walkthrough, select **Upload CSV Files**.
-  3. Select the type of CSV files that you're using. For this walkthrough, select **CSV files: SDS Format**.  
-  4. Click **Start**.
-
-6. In the **Sync options** screen:
-  1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
-  2. In the **Import data** section:
-    1. Click **Upload Files** to bring up the **Select data files to be uploaded** window.
-    2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
-    3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
-    4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
-
-      > [!NOTE]
-      > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified.
-
-    5. After all the files are successfully uploaded, click **OK**. 
-
-  3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
-  4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
-  5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
-  6. In the **Student enrollment option** section:
-    * If you want to sync your student roster data immediately, leave the box unchecked.
-    * If you prefer to sync student enrollment/rostering data at a later date, check this box and then pick a date by clicking the empty box and selecting the appropriate date in the calendar when you would like to begin syncing your student roster data. Some schools prefer to delay syncing student roster data so they don't expose rosters before the start of the new term, semester, or school year.  
-  7. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education.
-  8. Click **Next**.
-
-    **Figure 9** - Sync options for the new profile
-
-    ![Specify sync options for the new SDS profile](images/sds_profile_sync_options_062317.png)
-
-7. In the **Teacher options** screen:
-  1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created.
-  2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
-  3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For example, **STANDARDWOFFPACK_FACULTY**.
-  4. Click **Next**.
-
-    **Figure 10** - Specify options for teacher mapping
-
-    ![Specify options for teacher mapping](images/sds_profile_teacher_options_062317.png)
-
-8. In the **Student options** screen:
-  1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created.
-  2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
-  3. In the **Student licenses** section, choose the SKU to assign licenses for students. For example, **STANDARDWOFFPACK_STUDENT**.
-  4. Click **Next**.
-
-    **Figure 11** - Specify options for student mapping
-
-    ![Specify options for student mapping](images/sds_profile_student_options_062317.png)
-
-9. In the profile **Review** page, review the summary and confirm that the options selected are correct. 
-10. Click **Create profile**. You will see a notification that your profile is being submitted and then you will see a page for your profile. 
-
-  **Figure 12** - SDS profile page
-
-  ![SDS profile page](images/sds_profile_profilepage_settingup_062317.png) 
-
-11. After the profile is created and the status indicates as **Setting up**, refresh the page until you see the status change to **Sync in progress**. Beneath the **Sync in progress** status, you will see which of the 5 sync stages SDS is working on:
-  * Stage 1 - Validating data
-  * Stage 2 - Processing schools and sections
-  * Stage 3 - Processing students and teachers
-  * Stage 4 - Adding students and teachers into sections
-  * Stage 5 - Setting up security groups
-
-  If you don't see a **Sync in progress** status on the sync profile, and receive an error message instead, this indicates that SDS has encountered data issues during the pre-sync validation check and has not started syncing your data. This gives you the opportunity to fix the errors identified by the pre-sync validation checks before continuing. Once you've fixed any errors or if you prefer to continue with the errors and begin syncing your data anyway, click the **Resume sync** button to start the sync process.
-
-  Once you've completed all five sync stages, your profile status will update one final time. 
-    * If you haven't encountered any errors, you will see a green check mark which states **Everything is ok**, and the profile status will change to **Sync complete. Ready for more data.** 
-    * If SDS encountered sync errors, you will see a red status icon that indicates an error, and a profile status of **Sync complete. Profile contains multiple errors**. Download the available error report to identify and fix your sync errors. Once complete, upload new files as needed and re-sync your data until errors are resolved.
-
-  Here are some examples of what the sync status can look like:
-
-  **Figure 13** - New profile: Sync in progress
-
-  ![Sync in progress for the new profile](images/sds_profile_status_syncinprogress_062317.png)
-
-  **Figure 14** - New profile: Sync complete - no errors
-
-  ![New profile sync complete with no errors](images/sds_profile_status_everythingok_062317.png)
-
-  **Figure 15** - New profile: Sync complete - with errors
-
-  ![New profile sync complete with errors](images/sds_profile_status_syncerrors_062317.png)
-
-  Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time.
-
-  You can refresh the page to confirm that your profile synced successfully.
-
-That's it for importing sample school data using SDS.
-
-## 3. Enable Microsoft Teams for your school
-Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education. 
-
-To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school. 
-
-**Enable Microsoft Teams for your school**
-
-1. Sign in to <a href="https://portal.office.com" target="_blank">Office 365</a> with your work or school account.
-2. Click **Admin** to go to the Office 365 admin center.
-3. Go to **Settings > Services & add-ins**.
-4. On the **Services & add-ins** page, select **Microsoft Teams**.
-
-  **Figure 16** - Select Microsoft Teams from the list of services & add-ins
-
-  ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
-
-5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. Select **Faculty and Staff**.
-
-  **Figure 17** - Select the license that you want to configure
-
-  ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
-
-6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
-
-  **Figure 18** - Turn on Microsoft Teams for your organization
-
-  ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
-
-7. Click **Save**.
-
-You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
-
-## 4. Configure Microsoft Store for Education
-You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
-
-**Associate your Microsoft Store account with Intune for Education**
-
-1. Sign in to <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
-2. Accept the Microsoft Store for Business and Education Services Agreement. 
-
-  This will take you to the Microsoft Store for Education portal.
-
-  **Figure 19** - Microsoft Store for Education portal
-
-  ![Microsoft Store for Education portal](images/msfe_store_portal.png)
-
-3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
-4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
-
-  **Figure 20** - Select management tools from the list of Store settings options
-
-  ![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
-
-4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
-
-  **Figure 21** - Activate Intune for Education as the management tool
-
-  ![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png) 
-
-Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
-
-## 5. Use Intune for Education to manage groups, apps, and settings
-Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the <a href="https://docs.microsoft.com/intune-education" target="_blank">Intune for Education documentation</a>. 
-
-### Example - Set up Intune for Education, buy apps from the Store, and install the apps
-In this walkthrough, we'll go through a sample scenario and walk you through the steps to:
-- [Use express configuration to quickly set up Intune for Education](#setupintune)
-- [Use Intune for Education to buy apps from the Microsoft Store for Education](#addappsfrommsfe)
-- [Use Intune for Education to install the apps for all users in your tenant](#installappsallusers)
-
-Note that for verified education tenants, Microsoft automatically provisions your app catalog with these apps so you will see them appear on your Intune for Education catalog even before you've bought any apps:
-- Excel 
-- Fresh Paint
-- Minecraft: Education Edition
-- OneNote
-- PowerPoint
-- Sway
-- Word
-
-  > [!NOTE]
-  > Apps that you own in the Microsoft Store for Education are automatically available in Intune for Education. Any changes you make to your purchases get reflected in Intune for Education.
-
-
-**<a name="setupintune"></a>Set up Intune for Education**
-
-Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here.
-
-1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. You will see the Intune for Education dashboard once you're logged in.
-
-  **Figure 22** - Intune for Education dashboard
-
-  ![Intune for Education dashboard](images/i4e_portal.png)
-
-2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
-3. In the **Welcome to Intune for Education** screen, click **Get started**.
-  
-  **Figure 23** - Click Get started to set up Intune for Education
-
-  ![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
-
-4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
-
-  **Figure 24** - SDS is configured
-
-  ![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
-
-5. In the **Choose group** screen, select **All Users**. All apps and settings that we select during express setup will apply to this group. 
-
-  You can choose another group during this step, but note that your experience may vary from what we show in the walkthrough.
-
-6. The **Next** button will appear at the bottom of the screen after you select **All Users**. Click **Next**.
-
-  > [!TIP]
-  > At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
-  >
-  > **Figure 25** - Click on the buttons to go back to that step
-  >
-  > ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
-
-7. In the **Choose apps** screen, you will see a selection of Web apps, Microsoft Store apps, and desktop (Win32) apps. You will also see a list of popular apps from each category. 
-
-  - Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in the **Choose group** step.
-  
-    In this walkthrough, it's up to you to select the apps you choose to install. Just remember what they are so that later in the walkthrough you can verify that the apps were installed correctly on the device.
-
-    > [!TIP]
-    > Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
-
-  **Figure 26** - Choose the apps that you want to install for the group
-
-  ![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
-
-8. When you're done choosing apps, click **Next** at the bottom of the screen.
-
-  If you select Microsoft Store apps, you will see a notification that Intune for Education is getting these apps.
-
-8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
-
-  **Figure 27** - Expand the settings group to get more details
-
-  ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
-
-9. For this walkthrough, set the following settings:
-  - In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
-  - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
-
-  **Figure 28** - Set some additional settings
-
-  ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
-
-10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
-
-  **Figure 29** - Review the group, apps, and settings you configured
-
-  ![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
-
-11. Click **Save** to end express configuration.
-12. You will see the **You're done!** screen which lets you choose one of two options. 
-
-  **Figure 30** - All done with Intune for Education express configuration
-
-  ![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
-
-13. Click **All done** or click the **X** on the upper-right corner of the screen to dismiss this screen and go back to the dashboard.
-
-
-**<a name="addappsfrommsfe"></a>Add apps bought from Microsoft Store for Education**
-
-- **Example 1 - Minecraft: Education Edition**
-
-  If you would like to purchase Minecraft: Education Edition or want to learn how to get, distribute, and manage permissions for Minecraft: Education Edition, see <a href="https://docs.microsoft.com/education/windows/school-get-minecraft" target="_blank">For IT administrators - get Minecraft: Education Edition</a>.
-
-- **Example 2 - Free educational/reference apps**
-
-  1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click **Apps** from the menu on the left.
-
-    **Figure 31** - Click on **Apps** to see the list of apps for your tenant
-
-    ![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
-
-  2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
-
-    **Figure 32** - Select the option to add a new Store app
-
-    ![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
-
-  3. In the Microsoft Store page, check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express setup for Intune for Education.
-  
-    For example, these apps are free:
-    - Duolingo - Learn Languages for Free
-    - Flashcards Pro 
-    - Khan Academy
-    - My Study Life
-
-  4. Find or select the app you want to install and click **Get the app**.
-  5. In the app's Store page, click the **...** button and select **Add to private store**.
-  6. Repeat steps 3-5 to install another app or move to the next step.
-  7. In the Microsoft Store for Education portal, select **Manage > Apps & software > Manage apps** to verify that the apps you purchased appear in your inventory.
-
-    For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
-
-    **Figure 33** - Apps inventory in Microsoft Store for Education
-
-    ![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
-
-    In the **Private store** column of the **Apps & software** page, the status for some apps will indicate that it's "In private store" while others will say "Not in private store". We won't go over this in the walkthrough, but you can learn more about this in <a href="https://docs.microsoft.com/microsoft-store/distribute-apps-from-your-private-store" target="_blank">Distribute apps using your private store</a>.
-
-    > [!NOTE]  
-    > You'll see in the above screenshot that some apps say that **Add is in progress**. Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune for Education to sync all your purchased apps. 
-
-**<a name="installappsallusers"></a>Install apps for all users**
-
-Now that you've bought the apps, use Intune for Education to specify the group to install the apps for. Here, we'll show you how to install the apps you bought for all devices used by all users in your tenant. 
-
-1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click the **Groups** option from the menu on the left.
-
-  **Figure 34** - Groups page in Intune for Education
-
-  ![Groups page in Intune for Education](images/i4e_groupspage.png)
-
-2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page. 
-
-  **Figure 35** - List of all users in the tenant
-
-  ![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
-
-3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
-
-  **Figure 36** - Edit apps to assign them to users
-
-  ![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
-
-4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select. 
-
-  **Figure 37** - Select the apps to deploy to the group
-
-  ![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
-
-5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
-6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected. 
-
-  **Figure 38** - Updated list of assigned apps
-
-  ![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
-
-You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
-
-## 6. Set up Windows 10 devices
-
-### 6.1 Set up devices using Set up School PCs or Windows OOBE
-We recommend using the latest build of Windows 10, version 1703 on your education devices. To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options:
-- **Option 1: [Use the Set up School PCs app](#usesetupschoolpcs)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
-- **Option 2: [Go through Windows OOBE and join the device to Azure AD](#usewindowsoobandjoinaad)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
-
-**<a name="usesetupschoolpcs"></a>Option 1: Set up a device using the Set up School PCs app**
-
-IT administrators and technical teachers can use the Set up School PCs app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
-
-![Set up School PCs app](images/suspc_getstarted_050817.png)
-
-Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically:
-- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant
-- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM.
-- Removes OEM preinstalled software from each student PC
-- Auto-configures and saves a wireless network profile on each student PC
-- Gives a friendly and unique name to each student device for future management
-- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup
-- Enables optional guest account for younger students, lost passwords, or visitors
-- Enables optional secure testing account
-- Locks down the student PC to prevent mischievous activity:
-    * Prevents students from removing the PC from the school's device management system
-    * Prevents students from removing the Set up School PCs settings
-- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours
-- Customizes the Start layout with Office
-- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more
-- Uninstalls apps not specific to education, such as Solitaire
-- Prevents students from adding personal Microsoft accounts to the PC
-
-**To set up a device using the Set up School PCs app**
-
-1. Follow the steps in <a href="https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app" target="_blank">Use the Set up School PCs app</a> to quickly set up one or more student PCs.
-2. Follow the steps in [5.2 Verify correct device setup](#52-verify-correct-device-setup).
-
-
-**<a name="usewindowsoobandjoinaad"></a>Option 2: Set up a device using Windows OOBE**
-
-1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
-2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
-
-  **Figure 39** - Let's start with region
-
-  ![Let's start with region](images/win10_letsstartwithregion.png)
-
-3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
-
-  **Figure 40** - Select setup for an organization
-
-  ![Select setup for an organization](images/win10_setupforanorg.png)
-
-4. Sign in using the user's account and password. Depending on the user password setting, you may be prompted to update the password.
-5. Choose privacy settings for the device. Location, speech recognition, diagnostics, and other settings are all on by default. Configure the settings based on the school's policies. 
-6. Click **Accept** to go through the rest of device setup.
-
-
-### 6.2 Verify correct device setup
-Verify that the device is set up correctly and boots without any issues.
-
-**Verify that the device was set up correctly**
-1. Confirm that the Start menu contains a simple configuration.
-2. Confirm that the Store and built-in apps are installed and working. The apps pushed down from Intune for Education will appear under **Recently added**. 
-
-  > [!NOTE]  
-  > It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
-
-  **Figure 41** - Sample list of apps for a user
-
-  ![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
-
-### 6.3 Verify the device is Azure AD joined
-Let's now verify that the device is joined to your organization's Azure AD and shows up as being managed in Microsoft Intune for Education.
-
-**Verify if the device is joined to Azure AD**
-1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
-2. Select **Groups** and select **All Devices**.
-3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
-
-  **Figure 42** - List of all managed devices
-
-  ![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
-
-4. On the Windows 10 education device, click **Start** and go to **Settings**. 
-5. Select **Accounts > Access work or school**.
-6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
-
-  **Figure 43** - Confirm that the Windows 10 device is joined to Azure AD
-
-  ![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
-
-**That's it! You're done!** You've completed basic cloud setup, deployment, and management using Microsoft Education. You can continue follow the rest of the walkthrough to finish setup and complete other tasks.
-
-
-## 7. Finish setup and other tasks
-
-### 7.1 Update group settings in Intune for Education
-If you need to make changes or updates to any of the apps or settings for the group(s), follow these steps.
-
-1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
-2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
-3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
-
-  **Figure 44** - See the list of available settings in Intune for Education
-
-  ![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
-
-4. Keep the default settings or configure the settings according to your school's policies. 
-
-  For example, you can configure the diagnostic data sent to Microsoft in **Basic device settings > Send diagnostic data**. 
-
-5. Click **Save** or **Discard changes**.
-
-### 7.2 Configure Azure settings
-After completing the basic setup for your cloud infrastructure and confirming that it is up and running, it's time to prepare for additional devices to be added and enable capabilities for the user to use.
-
-#### Enable many devices to be added by a single person 
-When a device is owned by the school, you may need to have a single persion adding many devices to your cloud infrastructure. 
-
-Follow the steps in this section to enable a single person to add many devices to your cloud infrastructure.
-
-1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
-2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
-3. Select **Azure Active Directory > Users and groups > Device settings**.
-
-  **Figure 45** - Device settings in the new Azure portal
-
-  ![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
-
-4. Find the setting **Maximum number of devices per user** and change the value to **Unlimited**.
-5. Click **Save** to update device settings.
-
-#### Enable roaming settings for users
-When students move from using one device to another, they may need to have their settings roam with them and be made available on other devices. 
-
-Follow the steps in this section to ensure that settings for the each user follow them when they move from one device to another.
-
-1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
-3. Go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
-3. Select **Azure Active Directory > Users and groups > Device settings**.
-4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
-
-  **Figure 46** - Enable settings to roam with users
-
-  ![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
-
-5. Click **Save** to update device settings.
-
-### 7.3 Complete Office 365 for Education setup
-Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/en-US/Article/set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
-
-### 7.4 Add more users
-After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
-
-See <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" target="_blank">Add users to Office 365</a> to learn more. Once you're done adding new users, go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a> and verify that the same users were added to the Intune for Education groups as well.
-
-### 7.5 Connect other devices to your cloud infrastructure
-Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [6. Set up Windows 10 devices](#6-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
-
-  > [!NOTE]  
-  > These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device.
-
-**To connect a personal device to your work or school**
-
-1. On your Windows device, go to **Settings > Accounts**.
-2. Select **Access work or school** and then click **Connect** in the **Connect to work or school** page.
-3. In the **Set up a work or school account** window, enter the user's account info.
-
-  For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
-
-  **Figure 47** - Device is now managed by Intune for Education
-
-  ![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
-
-4. Enter the account password and then click **Sign in** to authenticate the user.
-
-   Depending on the organization's policy, the user may be asked to update the password.
-
-5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
-
-  **Figure 48** - Device is connected to organization's MDM
-
-  ![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
-
-6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [6.3 Verify the device is Azure AD joined](#63-verify-the-device-is-azure-ad-joined). 
-
-  It may take several minutes before the new device shows up so check again later.
-
+4. If you don't already have Microsoft Teams deployed to your tenant, you can start with [Enable Microsoft Teams for your school](enable-microsoft-teams.md) and then follow the rest of the instructions in this walkthrough. 
 
 ## Get more info
 
diff --git a/education/get-started/images/MSES_Get_Started_IT_082917.png b/education/get-started/images/MSES_Get_Started_IT_082917.png
new file mode 100644
index 0000000000..5153524b43
Binary files /dev/null and b/education/get-started/images/MSES_Get_Started_IT_082917.png differ
diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md
new file mode 100644
index 0000000000..623b0c5e4e
--- /dev/null
+++ b/education/get-started/set-up-office365-edu-tenant.md
@@ -0,0 +1,58 @@
+---
+title: Set up an Office 365 Education tenant
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Set up an Office 365 Education tenant
+
+> [!div class="step-by-step"]
+[<< Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
+[Use School Data Sync to import student data >>](use-school-data-sync.md)
+
+Schools can use Office 365 to save time and be more productive. Built with powerful tools and accessible from any device, setting it up is the first step in getting your school to the cloud. 
+
+Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans). </br>
+
+<center><iframe src="https://www.youtube.com/embed/X7bscA-knaY" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/X7bscA-knaY?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+You can watch the descriptive audio version here: [Microsoft Education: Set up an Office 365 Education tenant (DA)](https://www.youtube.com/watch?v=d5tQ8KoB3ic)
+
+## To set up a new Office 365 Education tenant
+
+1. Go to the <a href="https://signup.microsoft.com/Signup?OfferId=03ee83a5-5cb4-4545-aca9-33ead43f222a,d764709a-7763-45ef-a2a8-db5b8b6ae704&DL=ENTERPRISEPREMIUM_FACULTY" target="_blank">Office 365 for Education sign up page</a> to sign up for a free subscription for your school.
+2. Create an account and a user ID and password to use to sign into your account. 
+
+  **Figure 1** - Office 365 account creation
+
+  ![Create an Office 365 account](images/o365_createaccount.png)
+
+3. Save your sign-in info so you can use it to sign in to <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the sign-in page). Click **You're ready to go...** 
+4. In the **Verify eligibility for Microsoft Office 365 for Education** screen:
+  1. Add your domain name and follow the steps to confirm ownership of the domain. 
+  2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain.
+ 
+    In some cases, you may need to wait several hours for the DNS verification to complete. You can click **I'll verify later** and come back later and log into the Office 365 portal and then go to the **Admin** center and select **Domains** to check the status entry for your domain.
+
+    You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant.  
+
+As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See *Complete Office 365 for Education setup* in [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) for info.
+
+> [!div class="step-by-step"]
+[<< Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
+[Use School Data Sync to import student data >>](use-school-data-sync.md)
+
+
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
diff --git a/education/get-started/set-up-windows-10-education-devices.md b/education/get-started/set-up-windows-10-education-devices.md
new file mode 100644
index 0000000000..a77a9e2f89
--- /dev/null
+++ b/education/get-started/set-up-windows-10-education-devices.md
@@ -0,0 +1,41 @@
+---
+title: Set up Windows 10 education devices
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Set up Windows 10 education devices
+
+> [!div class="step-by-step"]
+[<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+[Finish setup and other tasks >>](finish-setup-and-other-tasks.md)
+
+We recommend using the latest build of Windows 10, version 1703 on your education devices. 
+
+To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options and follow the link to watch the video or follow the step-by-step guide:
+- **Option 1: [Use the Set up School PCs app](https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
+- **Option 2: [Go through Windows OOBE and join the device to Azure AD](set-up-windows-education-devices.md)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
+
+<!--
+> [!div class="nextstepaction"]
+> [Finish setup and other tasks](finish-setup-and-other-tasks.md)
+-->
+
+
+> [!div class="step-by-step"]
+[<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+[Finish setup and other tasks >>](finish-setup-and-other-tasks.md)
+
+
+
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md
new file mode 100644
index 0000000000..ad79d03cb5
--- /dev/null
+++ b/education/get-started/set-up-windows-education-devices.md
@@ -0,0 +1,47 @@
+---
+title: Set up Windows 10 devices using Windows OOBE
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Set up Windows 10 devices using Windows OOBE
+
+If you are setting up a Windows 10 device invidividually, and network bandwidth is not an issue, you can go through the Windows 10 first-run setup experience, also known as OOBE (out-of-box-experience) to set up the device, and join it to your school's Office 365 and Azure Active Directory.
+
+You can watch the video to see how this is done, or follow the step-by-step guide. </br>
+
+<center><iframe src="https://www.youtube.com/embed/nADWqBYvqXk" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+
+You can watch the descriptive audio version here: [Microsoft Education: Set up a new Windows 10 education devices using the Windows setup experience (DA)](https://www.youtube.com/watch?v=_UtS1Cz2Pno)
+
+## To set up Windows 10 devices using OOBE
+
+1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
+2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
+
+  **Figure 1** - Let's start with region
+
+  ![Let's start with region](images/win10_letsstartwithregion.png)
+
+3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
+
+  **Figure 2** - Select setup for an organization
+
+  ![Select setup for an organization](images/win10_setupforanorg.png)
+
+4. Sign in using the user's account and password. Depending on the user password setting, you may be prompted to update the password.
+5. Choose privacy settings for the device. Location, speech recognition, diagnostics, and other settings are all on by default. Configure the settings based on the school's policies. 
+6. Click **Accept** to go through the rest of device setup.
+
+
+## Related topic
+[Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
\ No newline at end of file
diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md
new file mode 100644
index 0000000000..491a309866
--- /dev/null
+++ b/education/get-started/use-intune-for-education.md
@@ -0,0 +1,225 @@
+---
+title: Use Intune for Education to manage groups, apps, and settings
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Use Intune for Education to manage groups, apps, and settings
+
+> [!div class="step-by-step"]
+[<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+[Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
+
+Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the <a href="https://docs.microsoft.com/intune-education" target="_blank">Intune for Education documentation</a>. 
+
+## Example - Set up Intune for Education, buy apps from the Store, and install the apps
+In this walkthrough, we'll go through a sample scenario and walk you through the steps to:
+- [Use express configuration to quickly set up Intune for Education](#set-up-intune-for-education)
+- [Use Intune for Education to buy apps from the Microsoft Store for Education](#add-apps-bought-from-microsoft-store-for-education)
+- [Use Intune for Education to install the apps for all users in your tenant](#install-apps-for-all-users)
+
+Note that for verified education tenants, Microsoft automatically provisions your app catalog with these apps so you will see them appear on your Intune for Education catalog even before you've bought any apps:
+- Excel 
+- Fresh Paint
+- Minecraft: Education Edition
+- OneNote
+- PowerPoint
+- Sway
+- Word
+
+  > [!NOTE]
+  > Apps that you own in the Microsoft Store for Education are automatically available in Intune for Education. Any changes you make to your purchases get reflected in Intune for Education.
+
+You can watch the video to see how this is done, or follow the step-by-step guide. </br>
+
+<center><iframe src="https://www.youtube.com/embed/c3BLoZZw3TQ" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/c3BLoZZw3TQ?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+You can watch the descriptive audio version here: [Microsoft Education: Use Intune for Education to manage groups, apps, and settings (DA)](https://youtu.be/Tejxfc4V7cQ)
+
+## Set up Intune for Education
+Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here.
+
+1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. You will see the Intune for Education dashboard once you're logged in.
+
+  **Figure 1** - Intune for Education dashboard
+
+  ![Intune for Education dashboard](images/i4e_portal.png)
+
+2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
+3. In the **Welcome to Intune for Education** screen, click **Get started**.
+  
+  **Figure 2** - Click Get started to set up Intune for Education
+
+  ![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
+
+4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
+
+  **Figure 3** - SDS is configured
+
+  ![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
+
+5. In the **Choose group** screen, select **All Users**. All apps and settings that we select during express setup will apply to this group. 
+
+  You can choose another group during this step, but note that your experience may vary from what we show in the walkthrough.
+
+6. The **Next** button will appear at the bottom of the screen after you select **All Users**. Click **Next**.
+
+  > [!TIP]
+  > At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
+  >
+  > **Figure 4** - Click on the buttons to go back to that step
+  >
+  > ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
+
+7. In the **Choose apps** screen, you will see a selection of Web apps, Microsoft Store apps, and desktop (Win32) apps. You will also see a list of popular apps from each category. 
+
+  - Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in the **Choose group** step.
+  
+    In this walkthrough, it's up to you to select the apps you choose to install. Just remember what they are so that later in the walkthrough you can verify that the apps were installed correctly on the device.
+
+    > [!TIP]
+    > Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
+
+  **Figure 5** - Choose the apps that you want to install for the group
+
+  ![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
+
+8. When you're done choosing apps, click **Next** at the bottom of the screen.
+
+  If you select Microsoft Store apps, you will see a notification that Intune for Education is getting these apps.
+
+8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
+
+  **Figure 6** - Expand the settings group to get more details
+
+  ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
+
+9. For this walkthrough, set the following settings:
+  - In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
+  - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
+
+  **Figure 28** - Set some additional settings
+
+  ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
+
+10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
+
+  **Figure 7** - Review the group, apps, and settings you configured
+
+  ![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
+
+11. Click **Save** to end express configuration.
+12. You will see the **You're done!** screen which lets you choose one of two options. 
+
+  **Figure 8** - All done with Intune for Education express configuration
+
+  ![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
+
+13. Click **All done** or click the **X** on the upper-right corner of the screen to dismiss this screen and go back to the dashboard.
+
+## Add apps bought from Microsoft Store for Education
+
+- **Example 1 - Minecraft: Education Edition**
+
+  If you would like to purchase Minecraft: Education Edition or want to learn how to get, distribute, and manage permissions for Minecraft: Education Edition, see <a href="https://docs.microsoft.com/education/windows/school-get-minecraft" target="_blank">For IT administrators - get Minecraft: Education Edition</a>.
+
+- **Example 2 - Free educational/reference apps**
+
+  1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click **Apps** from the menu on the left.
+
+    **Figure 9** - Click on **Apps** to see the list of apps for your tenant
+
+    ![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
+
+  2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
+
+    **Figure 10** - Select the option to add a new Store app
+
+    ![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
+
+  3. In the Microsoft Store page, check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express setup for Intune for Education.
+  
+    For example, these apps are free:
+    - Duolingo - Learn Languages for Free
+    - Flashcards Pro 
+    - Khan Academy
+    - My Study Life
+
+  4. Find or select the app you want to install and click **Get the app**.
+  5. In the app's Store page, click the **...** button and select **Add to private store**.
+  6. Repeat steps 3-5 to install another app or move to the next step.
+  7. In the Microsoft Store for Education portal, select **Manage > Apps & software > Manage apps** to verify that the apps you purchased appear in your inventory.
+
+    For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
+
+    **Figure 11** - Apps inventory in Microsoft Store for Education
+
+    ![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
+
+    In the **Private store** column of the **Apps & software** page, the status for some apps will indicate that it's "In private store" while others will say "Not in private store". We won't go over this in the walkthrough, but you can learn more about this in <a href="https://docs.microsoft.com/microsoft-store/distribute-apps-from-your-private-store" target="_blank">Distribute apps using your private store</a>.
+
+    > [!NOTE]  
+    > You'll see in the above screenshot that some apps say that **Add is in progress**. Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune for Education to sync all your purchased apps. 
+
+## Install apps for all users
+
+Now that you've bought the apps, use Intune for Education to specify the group to install the apps for. Here, we'll show you how to install the apps you bought for all devices used by all users in your tenant. 
+
+1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click the **Groups** option from the menu on the left.
+
+  **Figure 12** - Groups page in Intune for Education
+
+  ![Groups page in Intune for Education](images/i4e_groupspage.png)
+
+2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page. 
+
+  **Figure 13** - List of all users in the tenant
+
+  ![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
+
+3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
+
+  **Figure 14** - Edit apps to assign them to users
+
+  ![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
+
+4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select. 
+
+  **Figure 15** - Select the apps to deploy to the group
+
+  ![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
+
+5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
+6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected. 
+
+  **Figure 16** - Updated list of assigned apps
+
+  ![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
+
+You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
+
+<!--
+> [!div class="nextstepaction"]
+> [Set up Windows 10 devices](set-up-windows-10-education-devices.md)
+-->
+
+> [!div class="step-by-step"]
+[<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+[Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
+
+
+
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md
new file mode 100644
index 0000000000..6065f9dfd0
--- /dev/null
+++ b/education/get-started/use-school-data-sync.md
@@ -0,0 +1,187 @@
+---
+title: Use School Data Sync to import student data
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Use School Data Sync to import student data
+
+> [!div class="step-by-step"]
+[<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
+[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
+
+School Data Sync (SDS) helps you import Student Information System (SIS) data into Office 365. It helps automate the process for importing and integrating SIS data that you can use with Office 365 and apps like OneNote Class Notebooks. 
+
+Follow all the steps in this section to use SDS and sample CSV files in a trial environment. To use SDS in a production environment, see step 2 in [Try out Microsoft Education in a production environment](https://docs.microsoft.com/en-us/education/get-started/get-started-with-microsoft-education#setup-options) instead.
+
+You can watch the video to see how this is done, or follow the step-by-step guide.</br>
+
+<center><iframe src="https://www.youtube.com/embed/ehSU8jr8T24" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/ehSU8jr8T24?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+
+You can watch the descriptive audio version here: [Microsoft Education: Use School Data Sync to import student data (DA)](https://www.youtube.com/watch?v=l4b086IMtvc)
+
+
+## Download sample school data
+
+1. Go to the <a href="https://aka.ms/sdsscripts" target="_blank">O365-EDU-Tools GitHub site</a>.
+2. Click the green **Clone or download** button to download the SDS sample files.
+
+  **Figure 1** - Download the SDS sample files from GitHub
+
+  ![Download the SDS sample files from GitHub](images/sds_github_downloadsample.png)
+
+3. In the **Clone with HTTPS** pop-up window, choose **Download ZIP** and note the location where you're saving the folder.
+4. Go to the folder where you saved the .zip and unzip the files.
+5. Open the **O365-EDU-Tools-master** folder and then open the **CSV Samples** subfolder. Confirm that you can see the following sample CSV files.
+
+  **Figure 2** - Sample CSV files
+
+  ![Use the sample CSV files](images/sds_sample_csv_files_us_uk.png)
+
+  > [!NOTE] 
+  > - The sample CSV files uses sample accounts and passwords. If you are using the sample files for testing, remember the accounts and their corresponding passwords. You may be asked to change the password during your first sign in. 
+  > - If you are modifying the sample CSV files to use in your organization, change the accounts and passwords to match the user accounts and passwords in your organization.
+  > - If you are using CSV files from your existing production environment, see the detailed instructions in step 5 in the next section.
+
+To learn more about the CSV files that are required and the info you need to include in each file, see <a href="https://aka.ms/sdscsvattributes" target="_blank">CSV files for School Data Sync</a>. If you run into any issues, see <a href="https://aka.ms/sdserrors" target="_blank">School Data Sync errors and troubleshooting</a>.
+
+## Use SDS to import student data
+
+1. If you haven't done so already, go to the SDS portal, <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
+2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**.
+
+  **Figure 3** - Settings for managing SDS
+
+  ![Settings for managing SDS](images/sds_settings_manage_sds_firstsignin.png)
+
+3. Turn on **School Data Sync**. You will get a notification that it is turned on. Click **OK**.
+
+  New menu options will appear on the left of the SDS portal.
+
+  **Figure 4** - New menu options appear after SDS is turned on
+
+  ![New menu options appear after SDS is turned on](images/sds_sds_on_newmenuitemsappear.png)
+
+4. Click **+ Add Profile** from the sync dashboard or from the menu on the left to start syncing school data.
+
+  This opens up the new profile setup wizard within the main page.
+
+  **Figure 5** - New SDS profile setup wizard
+
+  ![New SDS profile setup wizard](images/sds_add_new_profile_062317.png)
+
+5. For the new profile, in the **How do you want to connect to your school?** screen:
+  1. Enter a name for your profile, such as *Contoso_Elementary_Profile*.
+  2. Select a sync method for your profile. For this walkthrough, select **Upload CSV Files**.
+  3. Select the type of CSV files that you're using. For this walkthrough, select **CSV files: SDS Format**.  
+  4. Click **Start**.
+
+6. In the **Sync options** screen:
+  1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
+  2. In the **Import data** section:
+    1. Click **Upload Files** to bring up the **Select data files to be uploaded** window.
+    2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
+    3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
+    4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
+
+      > [!NOTE]
+      > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified.
+
+    5. After all the files are successfully uploaded, click **OK**. 
+
+  3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
+  4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
+  5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
+  6. In the **Student enrollment option** section:
+    * If you want to sync your student roster data immediately, leave the box unchecked.
+    * If you prefer to sync student enrollment/rostering data at a later date, check this box and then pick a date by clicking the empty box and selecting the appropriate date in the calendar when you would like to begin syncing your student roster data. Some schools prefer to delay syncing student roster data so they don't expose rosters before the start of the new term, semester, or school year.  
+  7. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education.
+  8. Click **Next**.
+
+    **Figure 6** - Sync options for the new profile
+
+    ![Specify sync options for the new SDS profile](images/sds_profile_sync_options_062317.png)
+
+7. In the **Teacher options** screen:
+  1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created.
+  2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
+  3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For example, **STANDARDWOFFPACK_FACULTY**.
+  4. Click **Next**.
+
+    **Figure 7** - Specify options for teacher mapping
+
+    ![Specify options for teacher mapping](images/sds_profile_teacher_options_062317.png)
+
+8. In the **Student options** screen:
+  1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created.
+  2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
+  3. In the **Student licenses** section, choose the SKU to assign licenses for students. For example, **STANDARDWOFFPACK_STUDENT**.
+  4. Click **Next**.
+
+    **Figure 8** - Specify options for student mapping
+
+    ![Specify options for student mapping](images/sds_profile_student_options_062317.png)
+
+9. In the profile **Review** page, review the summary and confirm that the options selected are correct. 
+10. Click **Create profile**. You will see a notification that your profile is being submitted and then you will see a page for your profile. 
+
+  **Figure 9** - SDS profile page
+
+  ![SDS profile page](images/sds_profile_profilepage_settingup_062317.png) 
+
+11. After the profile is created and the status indicates as **Setting up**, refresh the page until you see the status change to **Sync in progress**. Beneath the **Sync in progress** status, you will see which of the 5 sync stages SDS is working on:
+  * Stage 1 - Validating data
+  * Stage 2 - Processing schools and sections
+  * Stage 3 - Processing students and teachers
+  * Stage 4 - Adding students and teachers into sections
+  * Stage 5 - Setting up security groups
+
+  If you don't see a **Sync in progress** status on the sync profile, and receive an error message instead, this indicates that SDS has encountered data issues during the pre-sync validation check and has not started syncing your data. This gives you the opportunity to fix the errors identified by the pre-sync validation checks before continuing. Once you've fixed any errors or if you prefer to continue with the errors and begin syncing your data anyway, click the **Resume sync** button to start the sync process.
+
+  Once you've completed all five sync stages, your profile status will update one final time. 
+    * If you haven't encountered any errors, you will see a green check mark which states **Everything is ok**, and the profile status will change to **Sync complete. Ready for more data.** 
+    * If SDS encountered sync errors, you will see a red status icon that indicates an error, and a profile status of **Sync complete. Profile contains multiple errors**. Download the available error report to identify and fix your sync errors. Once complete, upload new files as needed and re-sync your data until errors are resolved.
+
+  Here are some examples of what the sync status can look like:
+
+  **Figure 10** - New profile: Sync in progress
+
+  ![Sync in progress for the new profile](images/sds_profile_status_syncinprogress_062317.png)
+
+  **Figure 11** - New profile: Sync complete - no errors
+
+  ![New profile sync complete with no errors](images/sds_profile_status_everythingok_062317.png)
+
+  **Figure 12** - New profile: Sync complete - with errors
+
+  ![New profile sync complete with errors](images/sds_profile_status_syncerrors_062317.png)
+
+  Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time.
+
+  You can refresh the page to confirm that your profile synced successfully.
+
+That's it for importing sample school data using SDS.
+
+<!--
+> [!div class="nextstepaction"]
+> [Enable Microsoft Teams for your school](enable-microsoft-teams.md)
+-->
+
+> [!div class="step-by-step"]
+[<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
+[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
+
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
diff --git a/education/images/education-ms-teams.svg b/education/images/education-ms-teams.svg
new file mode 100644
index 0000000000..041429e604
--- /dev/null
+++ b/education/images/education-ms-teams.svg
@@ -0,0 +1,258 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #5c2d91;
+      }
+
+      .cls-2, .cls-20 {
+        fill: none;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        stroke: #808285;
+      }
+
+      .cls-3 {
+        fill: #2a6dcf;
+      }
+
+      .cls-4 {
+        fill: #6d6e71;
+      }
+
+      .cls-5 {
+        fill: #414042;
+      }
+
+      .cls-6 {
+        fill: #fff;
+      }
+
+      .cls-7 {
+        fill: #808285;
+      }
+
+      .cls-8 {
+        fill: #bad80a;
+      }
+
+      .cls-9 {
+        fill: #556a8a;
+      }
+
+      .cls-10 {
+        fill: gray;
+      }
+
+      .cls-11 {
+        fill: #2e2e2e;
+      }
+
+      .cls-12 {
+        fill: #1a1a1a;
+      }
+
+      .cls-13 {
+        fill: #221f1f;
+      }
+
+      .cls-14 {
+        fill: #80bceb;
+      }
+
+      .cls-15 {
+        fill: #b62a2a;
+      }
+
+      .cls-16 {
+        fill: #f0d4d4;
+      }
+
+      .cls-17 {
+        fill: #d1d3d4;
+      }
+
+      .cls-18 {
+        fill: #e6e7e8;
+      }
+
+      .cls-19 {
+        fill: #939598;
+      }
+
+      .cls-20 {
+        stroke: #414042;
+      }
+
+      .cls-21 {
+        fill: #f1f2f2;
+      }
+
+      .cls-22 {
+        fill: #2b978a;
+      }
+
+      .cls-23 {
+        fill: #008272;
+      }
+
+      .cls-24 {
+        fill: #558ad8;
+      }
+
+      .cls-25 {
+        fill: #aad2f2;
+      }
+    </style>
+  </defs>
+  <title>education-pro-usb copy</title>
+  <g>
+    <ellipse class="cls-1" cx="66.48" cy="32.04" rx="11.52" ry="12.96"/>
+    <line class="cls-2" x1="81" y1="57" x2="165" y2="57"/>
+    <path class="cls-1" d="M89.7,65.67A3.44,3.44,0,0,1,86.24,69H46.76a3.44,3.44,0,0,1-3.47-3.33c-.38-7.33-1.22-16.17,3.87-21.1a12.82,12.82,0,0,1,6.11-3.2,16.51,16.51,0,0,0,12.89,6.32,13.08,13.08,0,0,0,1.52-.08,16.55,16.55,0,0,0,11.47-6.38C91.5,43.83,90.2,56.06,89.7,65.67Z"/>
+  </g>
+  <polyline class="cls-2" points="102 113 142 113 142 88"/>
+  <line class="cls-2" x1="267.21" y1="64" x2="351.21" y2="64"/>
+  <g>
+    <ellipse class="cls-3" cx="338.69" cy="38.34" rx="12.67" ry="14.26"/>
+    <path class="cls-3" d="M364.24,75.33A3.78,3.78,0,0,1,360.42,79H317a3.78,3.78,0,0,1-3.81-3.67c-.41-8.06-1.34-17.79,4.25-23.21a14.1,14.1,0,0,1,6.72-3.52,18.16,18.16,0,0,0,14.18,7,14.39,14.39,0,0,0,1.67-.09,18.2,18.2,0,0,0,12.61-7C366.21,51.31,364.78,64.77,364.24,75.33Z"/>
+  </g>
+  <g>
+    <path class="cls-4" d="M328.21,61.12V89.88a.63.63,0,0,1-.64.62H304.85a.63.63,0,0,1-.64-.62V61.12a.63.63,0,0,1,.64-.62h22.72A.63.63,0,0,1,328.21,61.12Z"/>
+    <g>
+      <rect class="cls-5" x="302.21" y="63.5" width="2" height="2"/>
+      <rect class="cls-6" x="304.21" y="63.5" width="2" height="2"/>
+    </g>
+    <g>
+      <rect class="cls-5" x="302.21" y="70.5" width="2" height="2"/>
+      <rect class="cls-6" x="304.21" y="70.5" width="2" height="2"/>
+    </g>
+    <g>
+      <rect class="cls-5" x="302.21" y="77.5" width="2" height="2"/>
+      <rect class="cls-6" x="304.21" y="77.5" width="2" height="2"/>
+    </g>
+    <g>
+      <rect class="cls-5" x="302.21" y="84.5" width="2" height="2"/>
+      <rect class="cls-6" x="304.21" y="84.5" width="2" height="2"/>
+    </g>
+    <path class="cls-7" d="M328.21,61.12V76.5l-16-16h15.36A.63.63,0,0,1,328.21,61.12Z"/>
+    <rect class="cls-6" x="309.21" y="64.5" width="14" height="4"/>
+  </g>
+  <g>
+    <ellipse class="cls-8" cx="90.48" cy="89.04" rx="11.52" ry="12.96"/>
+    <path class="cls-8" d="M113.7,122.67a3.44,3.44,0,0,1-3.47,3.33H70.76a3.44,3.44,0,0,1-3.47-3.33c-.38-7.33-1.22-16.17,3.87-21.1a12.82,12.82,0,0,1,6.11-3.2,16.51,16.51,0,0,0,12.89,6.32,13.08,13.08,0,0,0,1.52-.08,16.55,16.55,0,0,0,11.47-6.38C115.5,100.83,114.2,113.06,113.7,122.67Z"/>
+  </g>
+  <g>
+    <rect class="cls-3" x="89.97" y="110.03" width="30" height="8" transform="translate(-49.89 107.62) rotate(-45)"/>
+    <polygon class="cls-9" points="90.12 123.22 88 131 95.78 128.88 90.12 123.22"/>
+    <path class="cls-9" d="M119.11,105.54l1.41-1.41a3,3,0,0,0,0-4.24l-1.41-1.41a3,3,0,0,0-4.24,0l-1.41,1.41Z"/>
+    <rect class="cls-6" x="113.31" y="101.19" width="1" height="8" transform="translate(-41.05 111.29) rotate(-45)"/>
+  </g>
+  <g>
+    <g>
+      <polygon class="cls-10" points="265 126 148 126 155.32 118 258.15 118 265 126"/>
+      <polygon class="cls-11" points="254 124 159 124 162.34 119 250.76 119 254 124"/>
+      <path class="cls-12" d="M260.37,129H153.3c-4.95,0-5-2.91-5-2.91H265S265.58,129,260.37,129Z"/>
+    </g>
+    <polygon class="cls-12" points="216 112 196 112 198 98 214 98 214.14 99 216 112"/>
+    <polygon class="cls-11" points="216 112 206 112 206 99 214.14 99 216 112"/>
+    <rect class="cls-13" x="130" y="16" width="153" height="84" rx="4" ry="4"/>
+    <rect class="cls-14" x="134" y="20" width="145" height="76"/>
+    <path class="cls-11" d="M235.79,116H177.21a2.12,2.12,0,0,1-2.21-2s3.74-3,3.92-3h54.16c2.25,0,4.92,3,4.92,3A2.12,2.12,0,0,1,235.79,116Z"/>
+  </g>
+  <g>
+    <polygon class="cls-5" points="244.11 36 176.62 36 151.67 50 268.17 50 244.11 36"/>
+    <rect class="cls-4" x="152" y="50" width="116" height="34"/>
+    <polygon class="cls-15" points="210.25 31 209.75 31 184 49.69 184 84 236 84 236 49.69 210.25 31"/>
+    <g>
+      <rect class="cls-16" x="227" y="59" width="4" height="4"/>
+      <rect class="cls-16" x="227" y="54" width="4" height="4"/>
+      <rect class="cls-16" x="222" y="59" width="4" height="4"/>
+      <rect class="cls-16" x="222" y="54" width="4" height="4"/>
+      <rect class="cls-16" x="194" y="59" width="4" height="4"/>
+      <rect class="cls-16" x="194" y="54" width="4" height="4"/>
+      <rect class="cls-16" x="189" y="59" width="4" height="4"/>
+      <rect class="cls-16" x="189" y="54" width="4" height="4"/>
+      <rect class="cls-16" x="194" y="72" width="4" height="4"/>
+      <rect class="cls-16" x="194" y="67" width="4" height="4"/>
+      <rect class="cls-16" x="189" y="72" width="4" height="4"/>
+      <rect class="cls-16" x="189" y="67" width="4" height="4"/>
+      <rect class="cls-16" x="227" y="72" width="4" height="4"/>
+      <rect class="cls-16" x="227" y="67" width="4" height="4"/>
+      <rect class="cls-16" x="222" y="72" width="4" height="4"/>
+      <rect class="cls-16" x="222" y="67" width="4" height="4"/>
+      <rect class="cls-16" x="210" y="59" width="4" height="4"/>
+      <rect class="cls-16" x="210" y="54" width="4" height="4"/>
+      <rect class="cls-16" x="205" y="59" width="4" height="4"/>
+      <rect class="cls-16" x="205" y="54" width="4" height="4"/>
+    </g>
+    <rect class="cls-5" x="204" y="70" width="12" height="14"/>
+    <rect class="cls-17" x="205" y="71" width="10" height="13"/>
+    <g>
+      <rect class="cls-18" x="162" y="59" width="3" height="4"/>
+      <rect class="cls-18" x="162" y="54" width="3" height="4"/>
+      <rect class="cls-18" x="158" y="54" width="3" height="4"/>
+      <rect class="cls-18" x="158" y="59" width="3" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-18" x="162" y="72" width="3" height="4"/>
+      <rect class="cls-18" x="162" y="67" width="3" height="4"/>
+      <rect class="cls-18" x="158" y="67" width="3" height="4"/>
+      <rect class="cls-18" x="158" y="72" width="3" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-18" x="175" y="59" width="3" height="4"/>
+      <rect class="cls-18" x="175" y="54" width="3" height="4"/>
+      <rect class="cls-18" x="171" y="59" width="3" height="4"/>
+      <rect class="cls-18" x="171" y="54" width="3" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-18" x="175" y="72" width="3" height="4"/>
+      <rect class="cls-18" x="175" y="67" width="3" height="4"/>
+      <rect class="cls-18" x="171" y="72" width="3" height="4"/>
+      <rect class="cls-18" x="171" y="67" width="3" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-18" x="246" y="59" width="3" height="4"/>
+      <rect class="cls-18" x="246" y="54" width="3" height="4"/>
+      <rect class="cls-18" x="242" y="59" width="3" height="4"/>
+      <rect class="cls-18" x="242" y="54" width="3" height="4"/>
+      <g>
+        <rect class="cls-18" x="259" y="59" width="3" height="4"/>
+        <rect class="cls-18" x="259" y="54" width="3" height="4"/>
+        <rect class="cls-18" x="255" y="59" width="3" height="4"/>
+        <rect class="cls-18" x="255" y="54" width="3" height="4"/>
+      </g>
+    </g>
+    <g>
+      <rect class="cls-18" x="246" y="72" width="3" height="4"/>
+      <rect class="cls-18" x="246" y="67" width="3" height="4"/>
+      <rect class="cls-18" x="242" y="72" width="3" height="4"/>
+      <rect class="cls-18" x="242" y="67" width="3" height="4"/>
+      <g>
+        <rect class="cls-18" x="259" y="72" width="3" height="4"/>
+        <rect class="cls-18" x="259" y="67" width="3" height="4"/>
+        <rect class="cls-18" x="255" y="72" width="3" height="4"/>
+        <rect class="cls-18" x="255" y="67" width="3" height="4"/>
+      </g>
+    </g>
+    <path class="cls-19" d="M214.24,37.76a6,6,0,1,1-8.49,0A6,6,0,0,1,214.24,37.76Z"/>
+    <polyline class="cls-20" points="214.5 43 210 43 210 38"/>
+    <polygon class="cls-21" points="215 71 215 77 209 71 215 71"/>
+    <path class="cls-22" d="M162.67,80.42a3.3,3.3,0,0,1-.8,2.2,5,5,0,0,1-2.14,1.4l-.27.1a9.78,9.78,0,0,1-1.29.3c-1.33.22-6.55,0-8.25,0-3.73,0-6.75-2.12-6.75-4.75a4.46,4.46,0,0,1,2.65-3.77,2.75,2.75,0,0,1-1.15-2.23,1.79,1.79,0,0,1,0-.24,2.67,2.67,0,0,1,.67-1.58,2.72,2.72,0,0,1,2.06-.93,2.9,2.9,0,0,1,.76.1,9,9,0,0,1,.23-1.87,7.58,7.58,0,0,1,.6-1.7,4,4,0,0,1,3.42-2.53c1.81,0,3.35,1.66,4,4,2.11.09,3.79,1.51,3.79,3.24a2.81,2.81,0,0,1-.65,1.77,3.42,3.42,0,0,1,2.15,3,2.79,2.79,0,0,1-.29,1.21A2.94,2.94,0,0,1,162.67,80.42Z"/>
+    <path class="cls-23" d="M159.73,84l-.27.1a9.78,9.78,0,0,1-1.29.3h-8.25c-3.73,0-6.75-2.12-6.75-4.75a4.46,4.46,0,0,1,2.65-3.77,2.75,2.75,0,0,1-1.15-2.23,1.79,1.79,0,0,1,0-.24,2.65,2.65,0,0,1,.49.09,9,9,0,0,1,.18-1.67,2.72,2.72,0,0,1,2.06-.93,2.9,2.9,0,0,1,.76.1,9,9,0,0,1,.23-1.87,7.58,7.58,0,0,1,.6-1.7,2.84,2.84,0,0,1,.42,0c1.81,0,3.75,1,3.75,4,2.79-1,4.5.76,4.5,2.5a3.38,3.38,0,0,1-1.15,2.52c1.65,0,2.65.72,2.65,2a3.14,3.14,0,0,1-.79,2.21,2.94,2.94,0,0,1,1.29,2.29C159.67,83.21,159.74,83.65,159.73,84Z"/>
+  </g>
+  <g>
+    <g>
+      <polygon class="cls-3" points="93 36 93 50 109.5 33.5 93 36"/>
+      <rect class="cls-3" x="87" y="15" width="34" height="27" rx="3" ry="3"/>
+    </g>
+    <path class="cls-24" d="M121,18V31L105,15h13A3,3,0,0,1,121,18Z"/>
+    <rect class="cls-25" x="96" y="24" width="16" height="1"/>
+    <rect class="cls-25" x="96" y="28" width="16" height="1"/>
+    <rect class="cls-25" x="96" y="32" width="9" height="1"/>
+  </g>
+</svg>
diff --git a/education/images/education-partner-aep-2.svg b/education/images/education-partner-aep-2.svg
new file mode 100644
index 0000000000..6bf0c2c3ac
--- /dev/null
+++ b/education/images/education-partner-aep-2.svg
@@ -0,0 +1,84 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #55a5e4;
+        opacity: 0.2;
+      }
+
+      .cls-2 {
+        fill: #fff;
+        stroke: #55a5e4;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: #7750a3;
+      }
+
+      .cls-4 {
+        fill: #4d4e4e;
+      }
+
+      .cls-5 {
+        fill: #0078d7;
+      }
+
+      .cls-6 {
+        fill: #2b8fde;
+      }
+
+      .cls-7 {
+        fill: #0050c5;
+      }
+
+      .cls-8 {
+        fill: #b4a0ff;
+        opacity: 0.5;
+      }
+
+      .cls-9 {
+        fill: #bad80a;
+      }
+
+      .cls-10 {
+        fill: #ddec85;
+      }
+
+      .cls-11 {
+        fill: #80bceb;
+      }
+    </style>
+  </defs>
+  <title>education-partner-aep-2</title>
+  <g>
+    <path class="cls-1" d="M119.51,50.32a35.43,35.43,0,0,1,69.94-1.11,24.11,24.11,0,0,1,38.72,12.26,21.07,21.07,0,1,1,5,41.54H114.58c-12-2.44-21.08-13.6-21.08-26.35A26.34,26.34,0,0,1,119.51,50.32Z"/>
+    <g>
+      <path class="cls-2" d="M124.38,65.52a37.39,37.39,0,0,1,74-1.19,25.21,25.21,0,0,1,16.34-6,25.57,25.57,0,0,1,24.62,19.14,22,22,0,0,1,5.29-.67,22.61,22.61,0,0,1,0,45.21H119.17c-12.72-2.62-22.3-14.59-22.3-28.25A28.06,28.06,0,0,1,124.38,65.52Z"/>
+      <g>
+        <ellipse class="cls-3" cx="163" cy="69.36" rx="14.5" ry="16.5"/>
+        <path class="cls-3" d="M192.13,111.64a4.49,4.49,0,0,1-3.68,4.31,3.81,3.81,0,0,1-.59,0H139.14a4.46,4.46,0,0,1-4.28-4.36c-.46-9.16-1.5-20.22,4.78-26.38a15.69,15.69,0,0,1,7.53-4,20.35,20.35,0,0,0,14.42,7.84,14.71,14.71,0,0,0,1.49.07,16.36,16.36,0,0,0,1.87-.1,20.39,20.39,0,0,0,14.15-8C194.35,84.33,192.74,99.63,192.13,111.64Z"/>
+      </g>
+      <g>
+        <rect class="cls-4" x="142.5" y="49" width="3" height="18.75" rx="1.5" ry="1.5"/>
+        <path class="cls-5" d="M185.87,50l-8.37,3V63c0,4.17-6.83,8-14.62,8s-14.38-3.83-14.38-8V53l-8.63-3,23-8Z"/>
+        <path class="cls-6" d="M177.5,54v9c0,4.17-6.83,8-14.62,8s-14.38-3.83-14.38-8V54l14,7Z"/>
+        <polygon class="cls-7" points="163.5 63 177.5 58.05 177.5 53 163.5 58 148.5 53 148.5 58.05 163.5 63"/>
+        <path class="cls-4" d="M141.5,72V67.5c0-1.65.9-3,2-3h1c1.1,0,2,1.35,2,3V72Z"/>
+      </g>
+      <path class="cls-8" d="M192.13,111.64a4.49,4.49,0,0,1-3.68,4.31L161.59,89.09a14.71,14.71,0,0,0,1.49.07,16.36,16.36,0,0,0,1.87-.1,20.39,20.39,0,0,0,14.15-8C194.35,84.33,192.74,99.63,192.13,111.64Z"/>
+      <circle class="cls-9" cx="253.5" cy="78" r="53" transform="translate(19.09 202.1) rotate(-45)"/>
+      <path class="cls-10" d="M291,40.52a53,53,0,0,1,0,75l-75-75A53,53,0,0,1,291,40.52Z"/>
+      <polygon class="cls-5" points="118.5 81 121.16 87.85 128.5 88.27 122.81 92.92 124.68 100.02 118.5 96.05 112.32 100.02 114.19 92.92 108.5 88.27 115.84 87.85 118.5 81"/>
+      <g>
+        <polygon class="cls-5" points="258.49 70.32 256.48 78.17 247.28 114 241.48 104.19 237.54 106.53 231.68 109.99 242.88 66.31 258.49 70.32"/>
+        <polygon class="cls-6" points="256.48 78.17 247.28 114 241.48 104.19 237.54 106.53 245.54 75.35 256.48 78.17"/>
+        <polygon class="cls-5" points="276.04 106.88 268.44 104.11 265.33 102.98 261.44 113.68 242.92 73.93 242.38 72.8 256.98 66.01 276.04 106.88"/>
+        <polygon class="cls-6" points="268.44 104.11 265.33 102.98 261.44 113.68 242.92 73.93 252.32 69.55 268.44 104.11"/>
+        <polygon class="cls-7" points="252.05 47.01 258.09 43.14 261.38 49.51 268.55 49.18 268.22 56.35 274.6 59.64 270.72 65.69 274.6 71.73 268.22 75.02 268.55 82.19 261.38 81.86 258.09 88.23 252.05 84.36 246.01 88.23 242.71 81.86 235.54 82.19 235.88 75.02 229.5 71.73 233.37 65.69 229.5 59.64 235.88 56.35 235.54 49.18 242.71 49.51 246.01 43.14 252.05 47.01"/>
+        <path class="cls-11" d="M261,65.68a9,9,0,1,1-9-9A8.93,8.93,0,0,1,261,65.68Z"/>
+      </g>
+    </g>
+  </g>
+</svg>
diff --git a/education/images/education-partner-directory-3.svg b/education/images/education-partner-directory-3.svg
new file mode 100644
index 0000000000..ba8f644949
--- /dev/null
+++ b/education/images/education-partner-directory-3.svg
@@ -0,0 +1,95 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #55a5e4;
+      }
+
+      .cls-11, .cls-2, .cls-3 {
+        fill: #fff;
+      }
+
+      .cls-2, .cls-5, .cls-9 {
+        stroke: #556a8a;
+        stroke-width: 2px;
+      }
+
+      .cls-2, .cls-5 {
+        stroke-linecap: round;
+        stroke-linejoin: round;
+      }
+
+      .cls-4 {
+        fill: #556a8a;
+      }
+
+      .cls-10, .cls-5, .cls-7, .cls-9 {
+        fill: none;
+      }
+
+      .cls-6 {
+        fill: #e5e5e5;
+      }
+
+      .cls-7 {
+        stroke: #a7a9ac;
+      }
+
+      .cls-7, .cls-9 {
+        stroke-miterlimit: 10;
+      }
+
+      .cls-8 {
+        fill: #d4e2f5;
+      }
+
+      .cls-11 {
+        opacity: 0.1;
+      }
+
+      .cls-12 {
+        fill: #e4edf1;
+        opacity: 0.34;
+      }
+    </style>
+  </defs>
+  <title>education-partner-directory-3</title>
+  <g>
+    <path class="cls-1" d="M117,66.32a35.43,35.43,0,0,1,69.94-1.11,24.11,24.11,0,0,1,38.72,12.26,21.07,21.07,0,1,1,5,41.54H112.08c-12-2.44-21.08-13.6-21.08-26.35A26.34,26.34,0,0,1,117,66.32Z"/>
+    <rect class="cls-2" x="185" y="29" width="124" height="97"/>
+    <path class="cls-3" d="M247,124a13.75,13.75,0,0,0-9-4H196V23h43c7,0,8,10,8,10s1-10,8-10h43v97H256a13.75,13.75,0,0,0-9,4"/>
+    <rect class="cls-4" x="246" y="30" width="2" height="93.32"/>
+    <path class="cls-5" d="M247,124a13.75,13.75,0,0,0-9-4H196V23h43c7,0,8,10,8,10s1-10,8-10h43v97H256a13.75,13.75,0,0,0-9,4"/>
+    <rect class="cls-6" x="197" y="24" width="15" height="95"/>
+    <rect class="cls-6" x="282" y="24" width="15" height="95"/>
+    <g>
+      <line class="cls-7" x1="216" y1="42" x2="240" y2="42"/>
+      <line class="cls-7" x1="216" y1="53" x2="240" y2="53"/>
+      <line class="cls-7" x1="216" y1="64" x2="240" y2="64"/>
+      <line class="cls-7" x1="216" y1="75" x2="240" y2="75"/>
+      <line class="cls-7" x1="216" y1="86" x2="240" y2="86"/>
+      <line class="cls-7" x1="216" y1="97" x2="240" y2="97"/>
+    </g>
+    <g>
+      <circle class="cls-3" cx="192" cy="42" r="32"/>
+      <path class="cls-3" d="M222.5,41.75a2.09,2.09,0,0,1,0,.25A30.24,30.24,0,0,1,162,42a2.09,2.09,0,0,1,0-.25,30.25,30.25,0,0,1,60.5,0Z"/>
+      <path class="cls-8" d="M192.25,72.5A30.82,30.82,0,0,1,161.51,42v-.5H223V42A30.82,30.82,0,0,1,192.25,72.5Z"/>
+      <path class="cls-4" d="M192,12a30,30,0,1,1-30,30,30,30,0,0,1,30-30m0-2a32,32,0,1,0,32,32,32,32,0,0,0-32-32Z"/>
+      <path class="cls-4" d="M192,12c5.71,0,12.08,12.32,12.08,30S197.71,72,192,72s-12.08-12.32-12.08-30S186.29,12,192,12m0-2c-7.78,0-14.08,14.33-14.08,32s6.3,32,14.08,32,14.08-14.33,14.08-32S199.78,10,192,10Z"/>
+      <path class="cls-9" d="M217.88,25c-4.63,1.39-14.57,2.36-26.09,2.36s-21.67-1-26.23-2.4"/>
+      <path class="cls-9" d="M165.55,58.32c4.34-1.41,14.49-2.4,26.33-2.4,11.54,0,21.49.94,26,2.3"/>
+      <line class="cls-9" x1="160.94" y1="42" x2="223.33" y2="42"/>
+      <rect class="cls-10" x="160" y="10" width="64" height="64"/>
+    </g>
+    <g>
+      <line class="cls-7" x1="254" y1="42" x2="278" y2="42"/>
+      <line class="cls-7" x1="254" y1="53" x2="278" y2="53"/>
+      <line class="cls-7" x1="254" y1="64" x2="278" y2="64"/>
+      <line class="cls-7" x1="254" y1="75" x2="278" y2="75"/>
+      <line class="cls-7" x1="254" y1="86" x2="278" y2="86"/>
+      <line class="cls-7" x1="254" y1="97" x2="278" y2="97"/>
+    </g>
+    <path class="cls-11" d="M124.22,73a31.49,31.49,0,0,1,62.17-1,21.43,21.43,0,0,1,34.42,10.89,18.73,18.73,0,1,1,4.45,36.93H119.84c-10.69-2.17-18.74-12.09-18.74-23.43A23.42,23.42,0,0,1,124.22,73Z"/>
+    <path class="cls-12" d="M161.43,74.55a15.53,15.53,0,1,0-5.55,7.23v5.07h4.92v5.67h6.48V99H177V89.56Zm-18.61-7.11a4,4,0,1,1,4-4A4,4,0,0,1,142.82,67.44Z"/>
+  </g>
+</svg>
diff --git a/education/images/education-partner-mepn-1.svg b/education/images/education-partner-mepn-1.svg
new file mode 100644
index 0000000000..b2585e2969
--- /dev/null
+++ b/education/images/education-partner-mepn-1.svg
@@ -0,0 +1,103 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #0078d7;
+        isolation: isolate;
+      }
+
+      .cls-2 {
+        fill: #2dbceb;
+        opacity: 0.41;
+      }
+
+      .cls-3 {
+        fill: #556a8a;
+      }
+
+      .cls-4 {
+        fill: #bad80a;
+      }
+
+      .cls-14, .cls-5 {
+        fill: none;
+      }
+
+      .cls-5 {
+        stroke: #556a8a;
+      }
+
+      .cls-5, .cls-8 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-6, .cls-8 {
+        fill: #fff;
+      }
+
+      .cls-7 {
+        fill: #e5e5e5;
+      }
+
+      .cls-8 {
+        stroke: #55a5e4;
+      }
+
+      .cls-9 {
+        fill: #55a5e4;
+        opacity: 0.3;
+      }
+
+      .cls-10 {
+        fill: #2b6dcf;
+      }
+
+      .cls-11 {
+        fill: #558ad8;
+      }
+
+      .cls-12 {
+        fill: #939598;
+      }
+
+      .cls-13 {
+        fill: #4d4d4d;
+      }
+    </style>
+  </defs>
+  <title>education-partner-mepn-1</title>
+  <g>
+    <ellipse class="cls-1" cx="104.5" cy="29.46" rx="10" ry="12.46"/>
+    <path class="cls-1" d="M87.5,101.43V140H98.58c1.54-13.16,3.6-30.57,3.94-32.83.43-2.76,4.7-2.76,5.12,0,.35,2.26,2.74,19.67,4.45,32.83h10.4V99h6l-.33-12.33-.67-25.2,8.42,2.19a4.54,4.54,0,0,0,1.93.25,4.49,4.49,0,0,0,1.48-.38l19-9.45a4.54,4.54,0,1,0-3.75-8.27L138,52.64,122.08,48c-.93-.28-1.91-.57-2.94-.86l0,0c-2.06-.58-4.18-1.16-5.79-1.59l-2.7-.72-6,12.48h-.1l-6-12.48s-5.77,1.3-9.89,2.39L87,47.6A8.84,8.84,0,0,0,81.48,52,11.43,11.43,0,0,0,80.2,56.4c-.61,6.36-.6,20.59-1.12,26.31-.19,2-.2,8.56,2.07,11.48A88.76,88.76,0,0,0,87.5,101.43Z"/>
+    <path class="cls-2" d="M158.36,54.08l-19,9.45a4.49,4.49,0,0,1-1.48.38,4.54,4.54,0,0,1-1.93-.25l-8.42-2.19.67,25.2L128.5,99l-47-47A8.84,8.84,0,0,1,87,47.6l1.63-.44c4.12-1.09,9.89-2.39,9.89-2.39l6,12.48h.1l6-12.48,2.7.72c1.61.43,3.73,1,5.79,1.59l0,0c1,.29,2,.58,2.94.86L138,52.64l16.63-6.83a4.54,4.54,0,1,1,3.75,8.27Z"/>
+  </g>
+  <g>
+    <path class="cls-3" d="M136.66,40.43h3.41l-.09-18h-3.32c-2.2,0-4.65,4.35-4.62,9S134.46,40.45,136.66,40.43Z"/>
+    <path class="cls-4" d="M134.62,31.53c0-5,1.74-9,3.94-9a14,14,0,0,1,1.76,0c1.91.67,2.25,4.46,2.27,8.93s.22,8.36-1.72,9c-.17.05-2,0-2.22,0C136.45,40.5,134.65,36.49,134.62,31.53Z"/>
+    <path class="cls-5" d="M158.39,35.18h-2.7a7.65,7.65,0,1,0,0,15.3h2.7a7.65,7.65,0,1,0,0-15.3Z"/>
+    <path class="cls-6" d="M179.06,31.52v-.08c0-8.74,1-15.81,3-19-3.7,1.91-12.29,4.88-22.83,7.61-5,1.3-19.12,3.36-19.17,3.39-1.53,1.53-1.9,5.59-2,7.37,0,.27,0,.48,0,.63,0,1.13.24,6.24,2,8,0,0,14.21,2.09,19.17,3.39,10.54,2.73,19.13,5.7,22.83,7.61-1.6-2.54-2.56-7.62-2.87-14.07C179.1,34.85,179.06,33.22,179.06,31.52Z"/>
+    <path class="cls-7" d="M182,50.48c-3.7-1.91-12.29-4.88-22.83-7.61-5-1.3-19.12-3.36-19.17-3.39-1.76-1.76-2-8.36-1.65-7.8,0,0,12,1.55,18.65,2.8s22,6,22,6C179,46.1,180.44,47.94,182,50.48Z"/>
+    <path class="cls-5" d="M179.06,31.48v0c0-8,.83-14.61,2.5-18.08.15-.32-.38,0-.21-.3-.47.24.81-.56.19-.28a168.81,168.81,0,0,1-22.33,7.31c-5,1.3-19.12,3.36-19.17,3.39-1.76,1.76-2,6.87-2,8s.24,6.24,2,8c.05,0,14.21,2.09,19.17,3.39,10.54,2.73,17.5,5.11,21.2,7-.25-.39,1,.61.75.09-1.52-3.58-2.1-10.83-2.1-18.47Z"/>
+    <path class="cls-4" d="M190.57,31.5c0,8.33-2.32,15.48-4.24,18.7-.68,1.15-1.45,1.8-2.25,1.8a2.59,2.59,0,0,1-2-1.36c-1.58-2.27-2.81-7.18-3.29-13.28-.15-1.86-.23-3.82-.23-5.86s.08-4,.23-5.9c.49-6.08,1.71-11,3.29-13.23a2.58,2.58,0,0,1,2-1.37c.8,0,1.57.64,2.25,1.81C188.25,16,190.57,23.19,190.57,31.5Z"/>
+    <path class="cls-3" d="M186,31.48a6,6,0,0,1-6,6,6.09,6.09,0,0,1-1.22-.12c-.15-1.86-.23-3.82-.23-5.86s.08-4,.23-5.9a6.08,6.08,0,0,1,1.22-.12A6,6,0,0,1,186,31.48Z"/>
+    <path class="cls-5" d="M190.57,31.5c0,8.33-2.32,15.48-4.24,18.7-.68,1.15-1.45,1.8-2.25,1.8a2.57,2.57,0,0,1-2-1.36c-2.06-3-3.52-10.4-3.52-19.14s1.46-16.17,3.52-19.13a2.59,2.59,0,0,1,2-1.37c.8,0,1.57.65,2.25,1.81C188.25,16,190.57,23.19,190.57,31.5Z"/>
+  </g>
+  <line class="cls-5" x1="194" y1="31" x2="215" y2="31"/>
+  <line class="cls-5" x1="194" y1="27" x2="206.5" y2="14.5"/>
+  <line class="cls-5" x1="206" y1="48" x2="194" y2="36"/>
+  <path class="cls-8" d="M205,119.49a25.36,25.36,0,0,1-.21-49.42c1.86-11.89,12-21,23.91-21A24,24,0,0,1,249.1,60.55,24.2,24.2,0,0,1,259.85,58c10.36,0,33.33-3.63,30.34,8.46,1.56-.33-4,7.57-2.39,7.57a22.89,22.89,0,0,1,9.69,43.64l-.35.15a21.08,21.08,0,0,1-6.77,1.85l-.57.06c-3,.26-7,.31-13.37.31H209.83A20.74,20.74,0,0,1,205,119.49Z"/>
+  <path class="cls-9" d="M174.53,84.54a28.34,28.34,0,0,1,56-.89,19.29,19.29,0,0,1,31,9.8,16.86,16.86,0,1,1,4,33.23H170.59a21.56,21.56,0,0,1-16.87-21.08A21.08,21.08,0,0,1,174.53,84.54Z"/>
+  <g>
+    <path class="cls-10" d="M314.4,68.17A45.49,45.49,0,1,1,301.08,36,45.41,45.41,0,0,1,314.4,68.17Z"/>
+    <path class="cls-11" d="M314.4,68.17a45.41,45.41,0,0,1-12.61,31.47L237.44,35.28a45.51,45.51,0,0,1,77,32.89Z"/>
+    <polygon class="cls-12" points="242.76 42.03 260.86 76.21 295.04 94.31 273.17 62.48 242.76 42.03"/>
+    <rect class="cls-6" x="267.48" y="26.94" width="2.84" height="12.8"/>
+    <rect class="cls-6" x="267.48" y="96.61" width="2.84" height="12.8"/>
+    <rect class="cls-6" x="232.65" y="61.77" width="2.84" height="12.8" transform="translate(165.9 302.24) rotate(-90)"/>
+    <rect class="cls-6" x="302.32" y="61.77" width="2.84" height="12.8" transform="translate(235.57 371.91) rotate(-90)"/>
+    <polygon class="cls-13" points="242.76 42.03 295.04 94.31 276.95 60.13 242.76 42.03"/>
+    <circle class="cls-6" cx="268.9" cy="68.17" r="4.27" transform="translate(30.56 210.11) rotate(-45)"/>
+    <rect class="cls-14" x="223.4" y="22.67" width="91" height="91"/>
+  </g>
+</svg>
diff --git a/education/images/education-partner-yammer.svg b/education/images/education-partner-yammer.svg
new file mode 100644
index 0000000000..c92245652e
--- /dev/null
+++ b/education/images/education-partner-yammer.svg
@@ -0,0 +1,19 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #0072c6;
+      }
+    </style>
+  </defs>
+  <title>education-partner-yammer</title>
+  <g>
+    <path class="cls-1" d="M350,57.16a2.71,2.71,0,0,1-2.7,2.7c-1.49,0-16-1-16-2.54s14.53-2.87,16-2.87A2.7,2.7,0,0,1,350,57.16Zm-6.5-16.23a2.7,2.7,0,0,1-1,3.68c-1.3.73-14.48,6.95-15.21,5.64s11.26-9.63,12.56-10.36A2.7,2.7,0,0,1,343.5,40.94ZM339.82,74.8c-1.3-.73-13.29-9.06-12.56-10.36s13.91,4.91,15.21,5.64a2.7,2.7,0,0,1-2.65,4.71Z"/>
+    <path class="cls-1" d="M182.3,91.73a3.38,3.38,0,0,0,6.73.36V70.9C189,60.46,187.13,54,175.56,54c-6.13,0-9.84,2.93-12.77,7.68C161.5,58.91,158.74,54,150,54c-6.65,0-9.76,3.71-11.57,7.68h-.17c0-1.26,0-2.52-.1-3.77a3.21,3.21,0,0,0-6.34.55c.1,1.86.22,3.9.22,6.15V91.8a3.38,3.38,0,0,0,6.74.34V75.73c0-9.23,1.91-15.54,10.62-15.54,5.52,0,7.76,3.45,7.76,12.34V91.81a3.38,3.38,0,0,0,6.73.33v-20c0-7.25,4.75-11.91,10.44-11.91,7.85,0,7.94,5.44,7.94,11Z"/>
+    <path class="cls-1" d="M245,91.73a3.38,3.38,0,0,0,6.73.36V70.9c0-10.44-1.91-16.91-13.47-16.91-6.13,0-9.84,2.93-12.77,7.68C224.2,58.91,221.44,54,212.73,54c-6.65,0-9.76,3.71-11.58,7.68H201c0-1.26,0-2.52-.1-3.77a3.21,3.21,0,0,0-6.34.55c.1,1.86.22,3.9.22,6.15V91.8a3.38,3.38,0,0,0,6.74.34V75.73c0-9.23,1.91-15.54,10.62-15.54,5.52,0,7.76,3.45,7.76,12.34V91.81a3.38,3.38,0,0,0,6.73.33v-20c0-7.25,4.75-11.91,10.44-11.91,7.85,0,7.94,5.44,7.94,11Z"/>
+    <path class="cls-1" d="M70.05,86.22c-2.07,5.84-4,8.57-8.38,8.57-.43,0-1.9-.09-2-.1a3.07,3.07,0,0,0-1,6,20.2,20.2,0,0,0,3.44.28c8.1,0,10.78-4.67,13.46-11.48L91.38,50.08A3.39,3.39,0,0,0,85,47.88L73.85,77.24h-.17L62,47.66a3.59,3.59,0,0,0-6.66,2.65Z"/>
+    <path class="cls-1" d="M126.07,91.54c-.08-1-.14-2.15-.14-3.12V71.07c0-11.39-5-17.08-16.91-17.08A23.52,23.52,0,0,0,95.5,58.07a3.13,3.13,0,0,0,4,4.79,19.12,19.12,0,0,1,9.69-2.66c6.3,0,10,3,10,8.89V70.3h-2.59c-9.92,0-25.46.77-25.46,14.15,0,7.85,6.82,12,15,12a15.26,15.26,0,0,0,13.29-7.07h.18c0,.91,0,2,.08,3.18a3.22,3.22,0,0,0,6.35-1Zm-6.87-13c-.17,6.56-4.14,12.17-11.91,12.17-5.09,0-8.89-1.9-8.89-7,0-5.44,5.52-7.77,14.07-7.77h6.73Z"/>
+    <path class="cls-1" d="M308.24,58a3.24,3.24,0,0,0-6.37-.12c.1,2,.25,4.27.25,6.75V92.08a3.37,3.37,0,0,0,6.73-.36v-16c0-9.23,3.62-15,11.82-15,.39,0,.93,0,1.33.07a3.4,3.4,0,0,0,.09-6.81h0c-6.9.08-11.8,3.77-13.58,7.69h-.17c0-1.24,0-2.48-.1-3.7"/>
+    <path class="cls-1" d="M296.91,72.48c-.91-11.84-8.4-18.65-19.06-18.65-11.91,0-20.71,8.71-20.71,21.23,0,11.73,7.76,21.23,20.45,21.23,6.06,0,10.93-1.49,15.09-5.29a3.14,3.14,0,0,0-3.94-4.83,15.27,15.27,0,0,1-10.82,4c-8.54,0-13.71-5.19-14-13l29.76,0a3.6,3.6,0,0,0,1.68-.3,2.72,2.72,0,0,0,1.52-2A21.05,21.05,0,0,0,296.91,72.48Zm-32.94-1c1-7.08,5.81-11.79,13.59-11.79s12.56,4.72,13,11.79Z"/>
+  </g>
+</svg>
diff --git a/education/images/education-pro-usb.svg b/education/images/education-pro-usb.svg
new file mode 100644
index 0000000000..37f83e26da
--- /dev/null
+++ b/education/images/education-pro-usb.svg
@@ -0,0 +1,111 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #2b6dcf;
+      }
+
+      .cls-2 {
+        fill: #9273b6;
+        fill-rule: evenodd;
+      }
+
+      .cls-3 {
+        fill: #221f1f;
+      }
+
+      .cls-4 {
+        fill: #80bceb;
+      }
+
+      .cls-5 {
+        fill: #939598;
+      }
+
+      .cls-6 {
+        fill: #414042;
+      }
+
+      .cls-7 {
+        fill: #6d6e71;
+      }
+
+      .cls-8 {
+        fill: #bcbec0;
+      }
+
+      .cls-9 {
+        fill: #bad80a;
+      }
+
+      .cls-10 {
+        fill: #aad2f2;
+      }
+
+      .cls-11, .cls-12 {
+        fill: none;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-11 {
+        stroke: #414042;
+        stroke-linecap: round;
+      }
+
+      .cls-12 {
+        stroke: #808285;
+      }
+
+      .cls-13 {
+        fill: #808285;
+      }
+
+      .cls-14 {
+        fill: #2b8fde;
+      }
+    </style>
+  </defs>
+  <title>education-pro-usb</title>
+  <path class="cls-1" d="M99.47,73.06A1.4,1.4,0,0,0,98,71.65l-5.79-.72A22.51,22.51,0,0,0,91.5,67l4.69-3.19A1.51,1.51,0,0,0,97,61.75l-1.51-3.49a1.3,1.3,0,0,0-1.87-.58L87.85,59,85.93,56l3.22-4.62a1.56,1.56,0,0,0-.05-2.06l-2.94-2.84a1.86,1.86,0,0,0-2.07.05L79.6,49.89c-1-.6-2.29-1.4-3.33-2l1.13-5.81a1.41,1.41,0,0,0-.85-1.64L73,39.07a1.32,1.32,0,0,0-1.86.65l-3,5.23a11.81,11.81,0,0,0-3.73-.76l-.93-5.76A1.42,1.42,0,0,0,62,37l-3.92.29c-.63-.19-1.24.44-1.43,1.06l-.92,6a12.34,12.34,0,0,0-3.7.89l-3.2-5.09A2.09,2.09,0,0,0,47,39.57L43.29,41.3a1.42,1.42,0,0,0-.8,1.66L44,48.51c-1,.64-2,1.69-3.05,2.34l-4.82-3.42a1.26,1.26,0,0,0-1.66.08,1,1,0,0,0-.19.16l-1.69,1.75-.94,1,0,0a1.33,1.33,0,0,0-.15,1.83l3.6,4.68a17.53,17.53,0,0,0-2.21,3.56L27.09,59A1.82,1.82,0,0,0,25.25,60l-1.38,3.54a1.78,1.78,0,0,0,.87,2.05l5,2.79c-.4,1.25-.37,2.49-.77,3.74l-5.76.94A1.81,1.81,0,0,0,22,74.77l.07,3.71a1.8,1.8,0,0,0,1.27,1.64l6,.51a23.64,23.64,0,0,0,.89,4.11l-5.11,3.19a1.32,1.32,0,0,0-.58,1.88l1.51,3.48a1.94,1.94,0,0,0,1.89,1l5.75-1.76c.64,1,1.28,2,1.92,3.06l-3.43,4.82a2,2,0,0,0,.24,1.85l3,2.83a1.55,1.55,0,0,0,1.85.18l4.7-3.61c1,.61,2.29,1.41,3.33,2l-1.12,5.82a1.39,1.39,0,0,0,.86,1.63l3.74,1.58A1.75,1.75,0,0,0,50.6,112l2.79-5c1.25,0,2.5.36,3.73.34l.73,6a1.81,1.81,0,0,0,1.68,1.2l3.93.14a2.52,2.52,0,0,0,1.41-1.47l.73-5.81c1.44-.23,2.67-.67,4.11-.9l3,4.9a1.42,1.42,0,0,0,1.88.58L78,110.47a1.69,1.69,0,0,0,1-1.88L77.5,103a14.87,14.87,0,0,0,3.06-2.33l4.81,3.42a1.39,1.39,0,0,0,2.07,0l1.79-1.86.63-.66.22-.22a1.44,1.44,0,0,0,.43-1.08,1.39,1.39,0,0,0-.48-1l-3.6-4.7A10.18,10.18,0,0,0,88.64,91l5.82,1.55a1.41,1.41,0,0,0,1.63-.86L97.68,88A2.1,2.1,0,0,0,97,86.13l-5.22-3a10.36,10.36,0,0,0,.55-3.53l6-1.15c.61-.22,1.22-.85,1.22-1.27Zm-31.8,7.61a9,9,0,1,1,1.79-6A9,9,0,0,1,67.67,80.67Z"/>
+  <path class="cls-2" d="M130.63,34.53l-3-.43c-.22-.65-.22-1.3-.43-1.95l2.6-1.51a.79.79,0,0,0,.43-1.08l-.87-1.73c0-.43-.43-.65-.87-.65l-3,.87a4.71,4.71,0,0,0-1.08-1.73l1.73-2.6a.66.66,0,0,0,0-.87l-1.52-1.51a.66.66,0,0,0-.87,0l-2.6,1.73c-.43-.43-1.08-.65-1.52-1.08l.65-3c.22-.22,0-.65-.43-.87l-1.73-.65a1,1,0,0,0-1.08.22l-1.52,2.6c-.65-.22-1.3-.22-2.17-.43l-.43-3a.69.69,0,0,0-.65-.65h-2.17a.69.69,0,0,0-.65.65l-.43,3c-.65.22-1.3.22-1.95.43l-1.52-2.6c-.22-.43-.65-.43-1.08-.43l-1.95.87c-.22,0-.43.43-.43.87l.87,3a4.72,4.72,0,0,0-1.73,1.08l-2.6-1.73a.66.66,0,0,0-.87,0L96.2,22.85a.66.66,0,0,0,0,.87l1.73,2.6c-.43.43-.65,1.08-1.08,1.51l-3-.65c-.22-.22-.65,0-.87.43l-.87,1.73c0,.43,0,.87.43,1.08l2.6,1.51c-.22.65-.22,1.51-.43,2.16l-3,.43a.69.69,0,0,0-.65.65v2.16a.57.57,0,0,0,.65.65l3,.43a6.31,6.31,0,0,0,.43,1.95l-2.6,1.51A.79.79,0,0,0,92.08,43l.87,1.95c0,.22.43.43.87.43l3-.87a4.71,4.71,0,0,0,1.08,1.73l-1.73,2.6a1,1,0,0,0,0,1.08l1.52,1.3c.22.22.65.43.87.22l2.6-1.95a3.88,3.88,0,0,0,1.52,1.08l-.65,3c-.22.22,0,.65.43.87l1.73.87c.43,0,.87,0,1.08-.43l1.52-2.6a6.41,6.41,0,0,0,2.17.43l.43,3a.69.69,0,0,0,.65.65h2.17a.69.69,0,0,0,.65-.65l.43-3a6.33,6.33,0,0,0,1.95-.43l1.52,2.6a.79.79,0,0,0,1.08.43l1.95-.87c.22,0,.43-.43.43-.87l-.87-3a4.72,4.72,0,0,0,1.73-1.08l2.6,1.95c.22.22.65,0,.87-.22l1.52-1.3a1,1,0,0,0,0-1.08l-1.73-2.6a9.16,9.16,0,0,0,1.08-1.51l3,.87a1.16,1.16,0,0,0,.87-.65l.87-1.73c0-.43,0-.87-.43-1.08l-2.6-1.51c.22-.65.22-1.3.43-2.16l3-.43a.57.57,0,0,0,.65-.65V35.18a.69.69,0,0,0-.65-.65Zm-7.15,5a1,1,0,0,1-1.52.65l-5-3.24c-.65-.22-.65-.87,0-1.3l5-3.24a1.12,1.12,0,0,1,1.52.65,15.77,15.77,0,0,1,.43,3.24,13.25,13.25,0,0,1-.43,3.24Zm-1.3-9.73a1,1,0,0,1-.65,1.51l-5.85,1.3c-.65.22-1.08-.22-.87-.87l1.3-5.84c.22-.87.87-1.08,1.52-.65a14.3,14.3,0,0,1,2.6,1.95,14.29,14.29,0,0,1,1.95,2.6Zm-14.29-6.06a12.41,12.41,0,0,1,6.5,0,1,1,0,0,1,.65,1.51l-3.25,5.19c-.43.65-1.08.65-1.3,0l-3.25-5.19a1,1,0,0,1,.65-1.51Zm6.5,12.55a3.25,3.25,0,0,1-6.5,0,3.26,3.26,0,0,1,6.5,0ZM104.64,25a1,1,0,0,1,1.52.65l1.3,5.84c.22.65-.22,1.08-1.08,1.08l-5.63-1.51c-.87-.22-1.08-.87-.65-1.51A7.81,7.81,0,0,1,102,27a14.3,14.3,0,0,1,2.6-1.95ZM98.58,39.29A13.25,13.25,0,0,1,98.15,36a15.77,15.77,0,0,1,.43-3.24.93.93,0,0,1,1.52-.43l5.2,3a.83.83,0,0,1,0,1.51l-5.2,3c-.65.43-1.3.22-1.52-.65Zm1.3,3.46a1,1,0,0,1,.65-1.51l5.85-1.51c.65-.22,1.08.22,1.08,1.08l-1.52,5.84a1.12,1.12,0,0,1-1.52.65,14.3,14.3,0,0,1-2.6-1.95c-1.08-1.3-1.95-2.6-1.95-2.6Zm14.29,5.84a13.29,13.29,0,0,1-3.25.43,15.82,15.82,0,0,1-3.25-.43,1.12,1.12,0,0,1-.65-1.51l3.25-5c.43-.65,1.08-.65,1.3,0l3.25,5c.43.65.22,1.3-.65,1.51Zm3.25-1.3c-.65.43-1.3.22-1.52-.65l-1.3-5.84c-.22-.65.22-1.08,1.08-.87l5.85,1.3a1.12,1.12,0,0,1,.65,1.51,14.29,14.29,0,0,1-1.95,2.6,22.45,22.45,0,0,1-2.82,1.95Z"/>
+  <g>
+    <path class="cls-3" d="M380,125H236.81c-4.71,0-5.81-3-5.81-3H385A5.43,5.43,0,0,1,380,125Z"/>
+    <g>
+      <path class="cls-3" d="M367,120H249a3,3,0,0,1-3-3V19a3,3,0,0,1,3-3H367a3,3,0,0,1,3,3v98A3,3,0,0,1,367,120Z"/>
+      <rect class="cls-4" x="250" y="20" width="116" height="96"/>
+    </g>
+    <polygon class="cls-5" points="385 122 370 107 245.94 107 231 122 385 122"/>
+  </g>
+  <polygon class="cls-3" points="323 119 293 119 294 116 322 116 323 119"/>
+  <g>
+    <polygon class="cls-6" points="217.1 60.08 199.2 42.82 180.82 61.2 200.62 81 217.13 64.49 217.1 60.08"/>
+    <g>
+      <path class="cls-7" d="M197.32,79.89,176.11,58.68l19.8-19.8L217.12,60.1Z"/>
+      <rect class="cls-8" x="184.61" y="46.39" width="24" height="26" transform="translate(15.59 156.42) rotate(-45)"/>
+    </g>
+    <rect class="cls-6" x="193.2" y="48.32" width="4" height="8" transform="translate(94.17 -122.7) rotate(45)"/>
+    <rect class="cls-6" x="201.68" y="56.8" width="4" height="8" transform="translate(102.65 -126.22) rotate(45)"/>
+    <path class="cls-6" d="M209,75,180.35,51.37,140.75,91a6,6,0,0,0,0,8.49l19.8,19.8a6,6,0,0,0,8.49,0L209,80Z"/>
+    <path class="cls-7" d="M181,47,140.75,87a6,6,0,0,0,0,8.49l19.8,19.8a6,6,0,0,0,8.49,0L209,75Z"/>
+    <rect class="cls-9" x="144.07" y="96.43" width="28" height="3" transform="translate(115.54 -83.09) rotate(45)"/>
+    <rect class="cls-9" x="149.73" y="90.77" width="28" height="3" transform="translate(113.2 -88.75) rotate(45)"/>
+  </g>
+  <polygon class="cls-10" points="366 20 366 62 324 20 366 20"/>
+  <rect class="cls-3" x="246" y="104" width="124" height="3"/>
+  <g>
+    <line class="cls-11" x1="220" y1="76" x2="275.66" y2="76"/>
+    <polygon class="cls-6" points="270.02 82.95 268.86 81.71 275 76 268.86 70.29 270.02 69.05 277.5 76 270.02 82.95"/>
+  </g>
+  <g>
+    <path class="cls-12" d="M12,101.14c23.68,36.51,76.75,33.09,105.28-2.29"/>
+    <polygon class="cls-13" points="118.93 107.61 117.23 107.69 116.82 99.32 108.5 100.34 108.29 98.66 118.42 97.41 118.93 107.61"/>
+  </g>
+  <g>
+    <rect class="cls-10" x="280" y="36" width="56" height="2"/>
+    <rect class="cls-10" x="280" y="46" width="56" height="2"/>
+    <rect class="cls-10" x="280" y="56" width="56" height="2"/>
+    <rect class="cls-10" x="280" y="66" width="33" height="2"/>
+  </g>
+  <path class="cls-14" d="M99.47,73.06A1.4,1.4,0,0,0,98,71.65l-5.79-.72A22.51,22.51,0,0,0,91.5,67l4.69-3.19A1.51,1.51,0,0,0,97,61.75l-1.51-3.49a1.3,1.3,0,0,0-1.87-.58L87.85,59,85.93,56l3.22-4.62a1.56,1.56,0,0,0-.05-2.06l-2.94-2.84a1.86,1.86,0,0,0-2.07.05L79.6,49.89c-1-.6-2.29-1.4-3.33-2l1.13-5.81a1.41,1.41,0,0,0-.85-1.64L73,39.07a1.32,1.32,0,0,0-1.86.65l-3,5.23a11.81,11.81,0,0,0-3.73-.76l-.93-5.76A1.42,1.42,0,0,0,62,37l-3.92.29c-.63-.19-1.24.44-1.43,1.06l-.92,6a12.34,12.34,0,0,0-3.7.89l-3.2-5.09A2.09,2.09,0,0,0,47,39.57L43.29,41.3a1.42,1.42,0,0,0-.8,1.66L44,48.51c-1,.64-2,1.69-3.05,2.34l-4.82-3.42a1.26,1.26,0,0,0-1.66.08L55.07,68.07a9,9,0,0,1,12.6,12.6h0l21.56,21.56.63-.66.22-.22a1.44,1.44,0,0,0,.43-1.08,1.39,1.39,0,0,0-.48-1l-3.6-4.7A10.18,10.18,0,0,0,88.64,91l5.82,1.55a1.41,1.41,0,0,0,1.63-.86L97.68,88A2.1,2.1,0,0,0,97,86.13l-5.22-3a10.36,10.36,0,0,0,.55-3.53l6-1.15c.61-.22,1.22-.85,1.22-1.27Z"/>
+</svg>
diff --git a/education/index.md b/education/index.md
index f1dbb98cc3..bb44bf632a 100644
--- a/education/index.md
+++ b/education/index.md
@@ -45,6 +45,24 @@ ms.author: celested
                     </div>
                 </a>
             </li>
+            <li>
+                <a href="/education/windows/test-windows10s-for-edu">
+                    <div class="cardSize">
+                        <div class="cardPadding">
+                            <div class="card">
+                                <div class="cardImageOuter">
+                                    <div class="cardImage">
+                                        <img data-hoverimage="/media/common/i_download-install.svg" src="/media/common/i_download-install.svg" alt="Test Windows 10 S for education" />
+                                    </div>
+                                </div>
+                                <div class="cardText">
+                                    <span class="likeAnH3">Test Windows 10 S for Education</span>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </a>
+            </li>
         </ul>
     </div>
     <div class="container">
@@ -215,7 +233,7 @@ ms.author: celested
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-usb.svg" alt="Set up School PCs" />
+                                                        <img src="images/education-pro-usb.svg" alt="Set up School PCs" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -234,7 +252,7 @@ ms.author: celested
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-ms-teams.svg" alt="Meet Microsoft Teams" />
+                                                        <img src="images/education-ms-teams.svg" alt="Meet Microsoft Teams" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -377,7 +395,7 @@ ms.author: celested
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-ms-teams.svg" alt="Meet Microsoft Teams" />
+                                                        <img src="images/education-ms-teams.svg" alt="Meet Microsoft Teams" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -396,7 +414,7 @@ ms.author: celested
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-usb.svg" alt="Set up School PCs" />
+                                                        <img src="images/education-pro-usb.svg" alt="Set up School PCs" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -565,6 +583,91 @@ ms.author: celested
                     </li>
                 </ul>
             </li>
+            <li>
+                <a href="#partner">Partner</a>
+                <ul id="partner">
+                    <li>
+                        <a href="#partner-all"></a>
+                        <ul id="partner-all" class="cardsC">
+                            <li>
+                                <a href="https://www.mepn.com">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="images/education-partner-mepn-1.svg" alt="Microsoft Education Partner Network" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Microsoft Education Partner Network</h3>
+                                                    <p>Find out the latest news and announcements for Microsoft Education partners.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://www.mepn.com/MEPN/AEPHome.aspx">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="images/education-partner-aep-2.svg" alt="Authorized Education Partner home page" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Authorized Education Partner (AEP) home page</h3>
+                                                    <p>Access the essentials and find out what it takes to become an AEP.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://www.mepn.com/MEPN/AEPSearch.aspx">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="images/education-partner-directory-3.svg" alt="Authorized Education Partner directory" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Authorized Education Partner directory</h3>
+                                                    <p>Search through the list of Authorized Education Partners worldwide who can deliver on customer licensing requirements, and provide solutions and services to current and future school needs.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://www.yammer.com/mepn/">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="images/education-partner-yammer.svg" alt="Education Partner community Yammer group" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Education Partner community Yammer group</h3>
+                                                    <p>Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+            </li>
         </ul>
     </div>
 </div>
\ No newline at end of file
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index a121e92d2e..30aa3f0ba5 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -12,9 +12,11 @@
 ### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
 ### [Take a Test app technical reference](take-a-test-app-technical.md)
 ## [Working with Microsoft Store for Education](education-scenarios-store-for-business.md)
-## [Get Minecraft Education Edition](get-minecraft-for-education.md)
+## [Get Minecraft: Education Edition](get-minecraft-for-education.md)
 ### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
 ### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
+### [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-device-promotion.md)
+## [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)
 ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
 ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
 ## [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index 8cce637c8d..699111447d 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -8,13 +8,28 @@ ms.sitesec: library
 ms.pagetype: edu
 author: CelesteDG
 ms.author: celested
-ms.date: 06/19/2017
+ms.date: 08/01/2017
 ---
 
 # Change history for Windows 10 for Education
 
 This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
 
+## August 2017
+
+| New or changed topic | Description |
+| --- | ---- |
+| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | New. Find out how you can test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us. |
+| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated the instructions to reflect the new or updated functionality in the latest version of the app. |
+
+## July 2017
+
+| New or changed topic | Description |
+| --- | ---- |
+| [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md)  | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices.  |
+| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. |
+| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a Group Policy section to inform you of any policies that affect the Take a Test app or functionality within the app. |
+
 ## June 2017
 
 | New or changed topic | Description |
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index f88c07f4b1..94d98ad536 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu, devices
-localizationpriority: high
+ms.localizationpriority: high
 author: craigash
 ms.author: celested
 ---
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 4cbabcfdff..b4457fe264 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -4,7 +4,9 @@ description: Provides guidance on ways to configure the OS diagnostic data, cons
 keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations, accessibility, assistive technology
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.prod: w10
+ms.pagetype: edu
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ms.date: 06/19/2017
@@ -16,7 +18,7 @@ ms.date: 06/19/2017
 -   Windows 10
 
 
-Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
+Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
 
 We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md).
 
@@ -24,7 +26,7 @@ In Windows 10, version 1703 (Creators Update), it is straightforward to configur
 
 | Area | How to configure | What this does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | 
 | --- | --- | --- | --- | --- | --- |
-| **Diagnostic Data** | **SetEduPolicies** | Sets Diagnostic Data to [Basic](https://technet.microsoft.com/itpro/windows/configure/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set |
+| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set |
 | **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set |
 | **Cortana** | **AllowCortana** | Disables Cortana </br></br> * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
 | **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set |
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 70f71c103a..677ecadbb9 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.pagetype: edu
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: craigash
 ms.author: celested
 ---
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 6c6ecf4977..e83be61c46 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.pagetype: edu
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: craigash
 ms.author: celested
 ---
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index 7d76300a59..b6da8e4c04 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -4,7 +4,7 @@ description: Provides guidance on ways to customize the OS privacy settings, as
 keywords: Windows 10 deployment, recommendations, privacy settings, school
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ms.date: 06/19/2017
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 25070b6aa8..4a2fc0fdf9 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -5,7 +5,9 @@ keywords: school, Microsoft Store for Education, Microsoft education store
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
+searchScope:
+  - Store
 author: trudyha
 ms.author: trudyha
 ---
diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md
index 7f9fedb193..5fe066fdea 100644
--- a/education/windows/get-minecraft-device-promotion.md
+++ b/education/windows/get-minecraft-device-promotion.md
@@ -5,8 +5,10 @@ keywords: school, Minecraft, education edition
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: trudyha
+searchScope:
+  - Store
 ms.author: trudyha
 ms.date: 06/29/2017
 ---
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 036d1cf2b7..172533af8e 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -5,8 +5,10 @@ keywords: school, Minecraft, education edition
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: trudyha
+searchScope:
+  - Store
 ms.author: trudyha
 ---
 
diff --git a/education/windows/images/suspc_createpackage_recommendedapps_073117.PNG b/education/windows/images/suspc_createpackage_recommendedapps_073117.PNG
new file mode 100644
index 0000000000..22df144bdc
Binary files /dev/null and b/education/windows/images/suspc_createpackage_recommendedapps_073117.PNG differ
diff --git a/education/windows/images/suspc_createpackage_summary_073117.PNG b/education/windows/images/suspc_createpackage_summary_073117.PNG
new file mode 100644
index 0000000000..c0e4b04723
Binary files /dev/null and b/education/windows/images/suspc_createpackage_summary_073117.PNG differ
diff --git a/education/windows/images/suspc_createpackage_takeatestpage_073117.PNG b/education/windows/images/suspc_createpackage_takeatestpage_073117.PNG
new file mode 100644
index 0000000000..4a4ec886a5
Binary files /dev/null and b/education/windows/images/suspc_createpackage_takeatestpage_073117.PNG differ
diff --git a/education/windows/index.md b/education/windows/index.md
index 33b03ce19c..e84bfe7051 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
@@ -40,10 +40,10 @@ ms.author: celested
 
 ## ![Deploy Windows 10 for Education](images/PCicon.png) Deploy
 
-<p><b>[Set up Windows devices for education](set-up-windows-10.md)</b><br />Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.</p><p>
+<p><b>[Set up Windows devices for education](set-up-windows-10.md)</b><br />Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.</p>
 <p><b>[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)</b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p>
 <p><b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
-<p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
+<p><b>[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)</b><br />Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.</p>
 
 ## ![Switch to Windows 10 for Education](images/windows.png) Switch
 
@@ -65,3 +65,7 @@ Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in
 ## Related topics
 - [Microsoft Education documentation and resources](https://docs.microsoft.com/education)
 - [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)
+
+<!--
+<p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
+-->
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index 66feebb077..572ace9f5f 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -5,8 +5,10 @@ keywords: Minecraft, Education Edition, IT admins, acquire
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: trudyha
+searchScope:
+  - Store
 ms.author: trudyha
 ---
 
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 120247f9d3..89cd5cab6a 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index d33c9d5620..b85706e38d 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -5,7 +5,7 @@ keywords: school, student PC setup, Windows Configuration Designer
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 32d966f479..660b765246 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -2,10 +2,11 @@
 title: Provision student PCs with apps
 description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
 keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer
-ms.prod: W10
+ms.prod: w10
+ms.pagetype: edu
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index 00647deb81..1498a9f5a3 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/switch-to-pro-education.md b/education/windows/switch-to-pro-education.md
index 1619f08a9a..5e73aec703 100644
--- a/education/windows/switch-to-pro-education.md
+++ b/education/windows/switch-to-pro-education.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index 5da7470ad4..e1c9c918d3 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -6,9 +6,10 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
+ms.date: 08/07/2017
 ---
 
 # Take a Test app technical reference 
@@ -50,6 +51,18 @@ When Take a Test is running, the following MDM policies are applied to lock down
 | AllowCortana | Disables Cortana functionality | 0 |
 | AllowAutoupdate | Disables Windows Update from starting OS updates | 5 |
 
+## Group Policy
+
+To ensure Take a Test activates correctly, make sure the following Group Policy are not configured on the PC.
+
+| Functionality | Group Policy path | Policy |
+| --- | --- | --- |
+| Require Ctrl+Alt+Del | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | Interactive logon: Do not Require CTRL+ALT+DEL |
+| Disable lock screen notifications | Computer Configuration\Administrative Templates\System\Logon | Turn off app notifications on the lock screen |
+| Disable lock screen | Computer Configuration\Administrative Templates\Control Panel\Personalization | Do not display the lock screen |
+| Disable UAC | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | User Account Control: Run all administrators in Admin Approval Mode |
+| Disable local workstation | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Lock Computer |
+
 ## Allowed functionality
 
 When Take a Test is running, the following functionality is available to students:
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index ba5ffb4d9d..64fbb7095c 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 71827e3366..b21ff39bef 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 94b00c53fa..9f2282eb80 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index fb8d30ef6f..4873c007c6 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -5,8 +5,10 @@ keywords: school, Minecraft, Education Edition, educators, teachers, acquire, di
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: trudyha
+searchScope:
+  - Store
 ms.author: trudyha
 ---
 
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
new file mode 100644
index 0000000000..087af433c9
--- /dev/null
+++ b/education/windows/test-windows10s-for-edu.md
@@ -0,0 +1,233 @@
+---
+title: Test Windows 10 S on existing Windows 10 education devices
+description: Provides guidance on downloading and testing Windows 10 S for existing Windows 10 education devices.
+keywords: Windows 10 S, try, download, school, education, Windows 10 S installer, existing Windows 10 education devices
+ms.mktglfcycl: deploy
+ms.prod: w10
+ms.pagetype: edu
+ms.sitesec: library
+ms.localizationpriority: high
+author: CelesteDG
+ms.author: celested
+ms.date: 08/30/2017
+---
+
+# Test Windows 10 S on existing Windows 10 education devices
+
+**Applies to:**
+- Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, Windows 10 Enterprise
+
+The Windows 10 S self-installer will allow you to test Windows 10 S on a variety of individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license<sup>[1](#footnote1)</sup>. Please test Windows 10 S on a variety of devices in your school and share your feedback with us.
+
+Windows 10 S is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education<sup>[2](#footnote2)</sup>.
+
+Windows 10 S is different from other editions of Windows 10 as everything that runs on the device is verfied by Microsoft for security and performance. Therefore, Windows 10 S works exclusively with apps from the Windows Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps cannot be changed. When you install Windows 10 S, your existing applications and settings will be deleted and you will only be able to install apps from the Windows Store.
+
+**Configuring Windows 10 S for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). 
+
+**Installing Office 365 for Windows 10 S (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Windows Store. 
+
+As we finalize development of Office 365 for Windows 10 S (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they are installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 S](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f).
+
+## Before you install Windows 10 S
+
+### Important information
+
+Before you install Windows 10 S, be aware that non-Windows Store apps will not work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 S:
+* Is intended for education customers to test compatibility with existing hardware
+* May not work with some device drivers, which may not yet be ready for Windows 10 S and may cause some loss in functionality
+* May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function
+* Has software and feature limitations compared to other Windows 10 editions, primarily that Windows 10 S is limited to Store apps only
+
+    > [!WARNING]
+    > You can install Windows 10 S on devices running other editions of Windows 10. For more information, see [Supported devices](#supported-devices). However, we don't recommend installing Windows 10 S on Windows 10 Home devices as you won't be able to activate it.
+
+* Will not run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased
+
+Due to these reasons, we recommend that you use the installation tool and avoid doing a clean install from an ISO media.
+
+Before you install Windows 10 S on your existing Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise device:
+* Make sure that you updated your existing device to Windows 10, version 1703 (Creators Update).
+
+    See [Download Windows 10](https://www.microsoft.com/en-us/software-download/windows10) and follow the instructions to update your device to Windows 10, version 1703. You can verify your current version in **Settings > System > About**.
+
+* Install the latest Windows Update.
+
+    To do this, go to **Settings > Update & security > Windows Update**.
+
+* Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 S.
+
+    See [Create a recovery drive](#create-a-recovery-drive) for information on how to do this.
+
+## Supported devices
+
+The Windows 10 S install will install and activate on the following editions of Windows 10 in use by schools:
+* Windows 10 Pro
+* Windows 10 Pro Education
+* Windows 10 Education
+* Windows 10 Enterprise
+
+Other Windows 10 editions cannot be activated and are not supported. If your device is not running one of these supported Windows 10 editions, do not proceed with using the Windows 10 S installer. Windows 10 N editions and running in virtual machines are not supported by the Windows 10 S installer. 
+
+### Preparing your device to install drivers
+
+Make sure all drivers are installed and working properly on your device running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise before installing Windows 10 S.
+
+### Supported devices and drivers
+
+Check with your device manufacturer before trying Windows 10 S on your device to see if the drivers are available and supported by the device manufacturer. 
+
+|   |   |   |
+| - | - | - |
+| <a href="https://www.acer.com/ac/en/US/content/windows10s-compatible-list" target="_blank">Acer</a> | <a href="http://www.51cube.com/ch/win10s-help.php" target="_blank">Alldocube</a> | <a href="https://www.ibuypower.com/site/computer/windows-10-s" target="_blank">American Future Tech</a> | 
+| <a href="http://www.prestigio.com/support/compatibility-with-windows-10-s/" target="_blank">ASBISC</a> | <a href="https://www.asus.com/event/2017/win10S/" target="_blank">Asus</a> | <a href="http://www.atec.kr/contents/ms_info.html" target="_blank">Atec</a> | 
+| <a href="https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html" target="_blank">Axdia</a> | <a href="http://www.casper.com.tr/window10sdestegi" target="_blank">Casper</a> | <a href="https://www.cyberpowerpc.com/page/Windows-10-S/" target="_blank">Cyberpower</a> | 
+| <a href="http://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="http://www.daten.com.br/suportes/windows10s/" target="_blank">Daten</a> | <a href="http://www.dell.com/support/article/us/en/19/sln307174/dell-computers-tested-for-windows-10-s?lang=en" target="_blank">Dell</a> | 
+| <a href="http://www.epson.jp/support/misc/windows10s.htm" target="_blank">Epson</a> | <a href="http://exo.com.ar/actualizaciones-de-windows-10" target="_blank">EXO</a> | <a href="http://www.fujitsu.com/au/products/computing/pc/microsoft/s-compatible/" target="_blank">Fujitsu</a> |
+| <a href="http://apac.getac.com/support/windows10s.html" target="_blank">Getac</a> | <a href="http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> | 
+| <a href="http://consumer.huawei.com/cn/support/notice/detail/index.htm?id=1541" target="_blank">Huawei</a> | <a href="http://www.inet-tek.com/en/product-qadetail-86.html" target="_blank">iNET</a> | <a href="https://www.intel.com/content/www/us/en/support/boards-and-kits/000025096.html" target="_blank">Intel</a> |
+| <a href="http://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> | <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> | 
+| <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> | <a href="http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> | 
+| <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> | <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="http://www.bangho.com.ar/windows10s" target="_blank">PC Arts</a> | 
+| <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> | <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> | <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | 
+| <a href="http://www.teclast.com/zt/aboutwin10s/" target="_blank">Teclast</a> | <a href="http://www.dospara.co.jp/support/share.php?contents=about_windows10s" target="_blank">Thirdwave</a> | <a href="http://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> | 
+| <a href="http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> | <a href="http://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> | <a href="http://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> | 
+| <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> | <a href="http://www.yifangdigital.com/Customerservice/win10s.aspx" target="_blank">Yifang</a> |
+
+
+> [!NOTE]
+> If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future.
+
+<!--
+* [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s)
+
+If you don't see your manufacturer or device model listed, you can still proceed and provide feedback, but be aware that you may not be able to get support from your device manufacturer to install Windows 10 S and you may experience limited or incomplete functionality on Windows features, device hardware, peripherals, and others.
+-->
+
+## Kept files
+
+Back up all your data before installing Windows 10 S. Only personal files may be kept during installation. Your settings and apps will be deleted.
+
+> [!NOTE]
+> All existing Win32 applications and data will be deleted. Save any data or installation files in case you may need to access that data again or need to reinstall these applications later.
+
+## Domain join
+
+Windows 10 S does not support non-Azure Active Directory domain accounts. Before installing Windows 10 S, you must have at least one of these administrator accounts:
+- Local administrator
+- Microsoft Account (MSA) administrator
+- Azure Active Directory administrator 
+
+> [!WARNING]
+> If you don't have one of these administrator accounts accessible before migration, you will not be able to log in to your device after migrating to Windows 10 S. 
+
+We recommend [creating a recovery drive](#create-a-recovery-drive) before migrating to Windows 10 S in case you run into this issue.
+
+## Installing Office applications
+
+After installing Windows 10 S, use the free [Set up School PCs app](use-set-up-school-pcs-app.md) to install Office 365 for Windows 10 S (Education preview). You must have an Office license to activate the applications once they are installed.
+
+
+## Switch to previously installed Windows 10 editions
+
+If Windows 10 S is not right for you, you can switch to the Windows 10 edition previously installed on your device(s).
+* Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md).
+* If you try Windows 10 S and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10).
+
+## Device recovery
+
+Before installing Windows 10 S, we recommend that you create a system backup in case you would like to return to Windows 10 Pro or Windows 10 Pro Education after trying Windows 10 S.
+
+### Create a recovery drive 
+To create a recovery drive, follow these steps.
+
+1. From the taskbar, search for **Create a recovery drive** and then select it. You might be asked to enter an admin password or confirm your choice.
+2. In the **Recovery drive** tool, make sure **Back up system files to the recovery drive** is selected and then click **Next**.
+3. Connect a USB drive to your PC, select it, and then select **Next > Create**. 
+
+    A lot of files need to be copied to the recovery drive so this might take a while.
+
+4. When it's done, you might see a **Delete the recovery partition from your PC** link on the final screen. If you want to free up drive space on your PC, select the link and then select **Delete**. If not, select **Finish**.
+
+### Go back to your previous edition of Windows 10
+
+Alternatively, for a period of 10 days after you install Windows 10 S, you have the option to go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This will keep your personal files, but it will remove installed apps as well as any changes you made to **Settings**.
+
+To go back, you need to:
+* Keep everything in the windows.old and $windows.~bt folders after the upgrade.
+* Remove any user accounts you added after the upgrade.
+
+If going back is not available:
+* Check if you can restore your PC to factory settings. This will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
+* If you have a product key for your previous version of Windows, use the media creation tool to create installation media of your previous Windows 10 edition and use it to do a clean install.
+
+### Use installation media to reinstall Windows 10
+
+> [!WARNING]
+> This will remove all your personal files, apps, and installed drivers. apps and customizations from your PC manufacturer, and changes you made to **Settings**.
+
+To use an installation media to reinstall Windows 10, follow these steps.
+
+1. On a working PC, go to the [Microsoft software download website](https://www.microsoft.com/en-us/software-download/windows10).
+2. Download the Media Creation Tool and then run it.
+3. Select **Create installation media for another PC**.
+4. Choose a language, edition, and architecture (64-bit or 32-bit).
+5. Follow the steps to create an installation media and then select **Finish**.
+6. Connect the installation media that you created to your non-functional PC, and then turn it on.
+7. On the initial setup screen, enter your language and other preferences, and then select **Next**.
+
+    If you're not seeing the setup screen, your PC might not be set up to boot from a drive. Check your PC manufacturer's website for information on how to change your PC's boot order, and then try again.
+
+8. Select **Install now**.
+9. On the **Enter the product key to active Windows** page, enter a product key if you have one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Windows Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/en-us/help/12440/windows-10-activation).
+10. On the **License terms** page, select **I accept the license terms** if you agree, and then select **Next**.
+11. On the **Which type of installation do you want?** page, select **Custom**.
+12. On the **where do you want to install Windows?** page, select a partition, select a formatting option (if necessary), and then follow the instructions.
+13. When you're done formatting, select **Next**.
+14. Follow the rest of the setup instructions to finish installing Windows 10.
+
+## Download Windows 10 S
+Ready to test Windows 10 S on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information. 
+
+When you're ready, you can download the Windows 10 S installer by clicking the **Download installer** button below:
+
+> [!div class="nextstepaction" style="center"]
+> [Download installer](https://go.microsoft.com/fwlink/?linkid=853240)
+
+After you install Windows 10 S, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages** select **Add a language** to add a new language or select an existing language and set it as the default.
+
+## Terms and Conditions
+Because you’re installing Windows 10 S on a running version of Windows 10, you have already accepted the Windows 10 Terms and Conditions. You are not required to accept it again and the Windows 10 installer doesn’t show a Terms and Conditions page during installation.
+
+## Support 
+Thank you for testing Windows 10 S. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 S on existing devices with an eligible operating system. If you are having difficulty installing or running Windows 10 S, use the Windows **Feedback Hub** to report your experience to Microsoft. This is the best way to help improve Windows 10 S with your feedback. 
+
+Common support questions for the Windows 10 S test program:
+
+* **How do I activate if I don't have a Windows 10 S product key?**
+
+    As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 S and it will automatically activate. Testing Windows 10 S on a device running Windows 10 Home is not recommended and supported at this time.
+
+* **Will my OEM help me run Windows 10 S?**
+
+    OEMs typically only support their devices with the operating system that was pre-installed. See [Supported devices](#supported-devices) for OEM devices that are best suited for testing Windows 10 S. When testing Windows 10 S, be ready to restore your own PC back to factory settings without assistance. Steps to return to your previous installation of Windows 10 are covered above.
+
+* **What happens when I run Reset or Fresh Start on Windows 10 S?**
+
+    **Reset** or **Fresh Start** will operate correctly and keep you on Windows 10 S. They also remove the 10-day go back ability. See [Switch to previously installed Windows 10 editions](#switch-to-previously-installed-windows-10-editions) to return to your previous installation of Windows 10 if you wish to discontinue using Windows 10 S.
+
+* **What if I want to move from Windows 10 S to Windows 10 Pro?**
+
+    If you want to discontinue using Windows 10 S, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you are testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store.
+
+For help with activation issues, click on the appropriate link below for support options.
+* For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you are seeking commercial support to contact our commercial support team.
+* If you do not have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/en-us/contactus/) website and choose a support option.
+
+
+<p>
+<a name="footnote1"></a><sup>1</sup> <small>Internet access fees may apply.</small><br/>
+<a name="footnote2"></a><sup>2</sup> <small>Devices must be configured for educational use by applying **[SetEduPolicies](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education#setedupolicies)** using the Set up School PCs app.</small><br/>
+
+</p>
+
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index bfc4179cfa..ca1953e1e0 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -6,10 +6,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
-ms.date: 06/26/2017
+ms.date: 08/01/2017
 ---
 
 # Use the Set up School PCs app 
@@ -19,8 +19,6 @@ ms.date: 06/26/2017
 
 IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
 
-![Set up School PCs app](images/suspc_getstarted_050817.png)
-
 ## What does this app do?
 
 Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically:
@@ -41,6 +39,14 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
 - Uninstalls apps not specific to education, such as Solitaire
 - Prevents students from adding personal Microsoft accounts to the PC
 
+You can watch the video to see how to use the Set up School PCs app, or follow the step-by-step guide. </br>
+
+<center><iframe src="https://www.youtube.com/embed/2ZLup_-PhkA" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/2ZLup_-PhkA?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+You can watch the descriptive audio version here: [Microsoft Education: Use the Set up School PCs app (DA)](https://www.youtube.com/watch?v=qqe_T2LkGsI)
+
 ## Tips for success
 
 * **Run the same Windows 10 build on the admin device and the student PCs**
@@ -113,7 +119,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
   ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png)
 
 2. Click **Get started**.
-3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
+3. <a name="suspc_signin"></a>To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
 
   To get the best option for setup and enable student PCs to automatically be connected to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**.
 
@@ -134,7 +140,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
     5. Click **Next**.
   
-4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
+4. <a name="suspc_wireless"></a>To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
   1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network. 
   2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network.
 
@@ -146,7 +152,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
     ![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png)
 
-5. To assign a name to the student PCs, in the **Name these devices** page:
+5. <a name="suspc_devicename"></a>To assign a name to the student PCs, in the **Name these devices** page:
   1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client. 
   
     > [!NOTE]  
@@ -156,7 +162,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
   2. Click **Next**.
 
-6. To specify other settings for the student PC, in the **Configure student PC settings** page:
+6. <a name="suspc_settings"></a>To specify other settings for the student PC, in the **Configure student PC settings** page:
   - Select **Remove apps pre-installed by the device manufacturer** to install only the base Windows image.
 
       > [!NOTE]  
@@ -180,44 +186,45 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
  When you're doing configuring the student PC settings, click **Next**.
 
-7. If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page.
-  1. Enter the assessment URL.
+7. <a name="suspc_takeatest"></a>If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page. Windows will also lock down the student PC so that students can't access anything else while taking the test.
+  1. Specify if you want to create a Take a Test button on the sign-in screens of students' PCs.
   2. Check the options whether to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. 
+  3. Enter the assessment URL.
 
-    If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
+    You can leave the URL blank so that students can enter one later. This enables teachers to use the the Take a Test account for daily quizzes or tests by having students manually enter a URL.
 
     **Figure 5** - Configure the Take a Test app
 
-    ![Configure the Take a Test app](images/suspc_createpackage_takeatest.png)
+    ![Configure the Take a Test app](images/suspc_createpackage_takeatestpage_073117.png)
 
   3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
 
-8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following:
+8. <a name="suspc_recommendedapps"></a>In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following:
   * **Office 365 for Windows 10 S (Education Preview)** 
     * Office 365 for Windows 10 S will only work on student PCs running Windows 10 S. If you try to install this app on other editions of Windows, setup will fail.
     * When adding the Office 365 for Windows 10 S to a package, the device you use to run Set up School PCs does not have to be running Windows 10 S.
   * **Minecraft: Education Edition** - Free trial 
   * Popular **STEM and Makerspace apps**
 
-  1. Select the apps that you would like to provision and then click **Next** when you're done.
+  1. Select the apps that you would like to provision and then click **Next** when you're done. Apps that you provision on student PCs will be pinned to the Start menu.
   2. Click **Skip** if you don't want to provision any apps.
 
-  **Figure 6** - Select from a set of recommended Microsoft Store apps
+  **Figure 6** - Select from a set of recommended apps
 
-  ![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_office061217.png)
+  ![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_073117.png)
     
   The set of recommended Microsoft Store for Education apps may vary from what we show here.
 
-9. In the **Review package summary** page, make sure that all the settings you configured appear correctly.
+9. <a name="suspc_packagesummary"></a>In the **Review package summary** page, make sure that all the settings you configured appear correctly.
   1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes.
 
       **Figure 7** - Review your settings and change them as needed
 
-      ![Review your settings and change them as needed](images/suspc_createpackage_summary.png)
+      ![Review your settings and change them as needed](images/suspc_createpackage_summary_073117.png)
 
   2. Click **Accept**.
 
-10. In the **Insert a USB drive now** page:
+10. <a name="suspc_savepackage"></a>In the **Insert a USB drive now** page:
   1. Insert a USB drive to save your settings and create a provisioning package on the USB drive.
   2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list.
   3. Click **Save** to save the provisioning package to the USB drive.
@@ -226,20 +233,20 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
       ![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png)
 
-11. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
+11. <a name="suspc_pkgready"></a>When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
 
   **Figure 9** - Provisioning package is ready
 
   ![Provisioning package is ready](images/suspc_savepackage_ppkgisready.png)
 
-12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs. 
+12. <a name="suspc_getpcsready"></a>Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs. 
 
   **Figure 10** - Line up the student PCs and get them ready for setup
 
   ![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png)
 
 13. Click **Next**.
-14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs. 
+14. <a name="suspc_installpkg"></a>In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs. 
 
   Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package.
 
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index f25dbdafb2..1b6b32c8a9 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
@@ -27,7 +27,7 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o
 
 Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
 
-For Cortana<sup>1</sup>,
+For Cortana<sup>[1](#footnote1)</sup>,
 - If you're using version 1607, Cortana is removed.
 - If you're using new devices with version 1703, Cortana is turned on by default.
 - If you're upgrading from version 1607 to version 1703, Cortana will be enabled. 
@@ -60,7 +60,7 @@ Customers who deploy Windows 10 Enterprise are able to configure the product to
 For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
 
 ## Related topics
-* [Switch Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
+* [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
 * [Windows deployment for education](http://aka.ms/edudeploy)
 * [Windows 10 upgrade paths](https://go.microsoft.com/fwlink/?LinkId=822787)
 * [Volume Activation for Windows 10](https://go.microsoft.com/fwlink/?LinkId=822788)
@@ -69,4 +69,4 @@ For any other questions, contact [Microsoft Customer Service and Support](https:
 
 
 
-<sup>1</sup> <small>Cortana available in select markets; experience may vary by region and device.</small>
+<a name="footnote1"></a><sup>1</sup> <small>Cortana available in select markets; experience may vary by region and device.</small>
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
index 20edf8efe4..567bc31c42 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
@@ -288,9 +288,9 @@ The XML file that is included in the Office Deployment Tool specifies the produc
         <td align="left"><p><code>Sourcepath = &quot;\\Server\Office2016”</code></p></td>
         </tr>
         <tr class="even">
-        <td align="left"><p>Branch (attribute of Add element)</p></td>
-        <td align="left"><p>Optional. Specifies the update branch for the product that you want to download or install. </p><p>For more information about update branches, see Overview of update branches for Office 365 ProPlus.</p></td>
-        <td align="left"><p><code>Branch = "Business"</code></p></td>
+        <td align="left"><p>Channel (attribute of Add element)</p></td>
+        <td align="left"><p>Optional. Specifies the update channel for the product that you want to download or install. </p><p>For more information about update channels, see Overview of update channels for Office 365 ProPlus.</p></td>
+        <td align="left"><p><code>Channel="Deferred"</code></p></td>
         </tr>
         </tbody>
         </table>
diff --git a/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md b/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
index b0f7f20fd2..5753d059e3 100644
--- a/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
+++ b/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
@@ -189,7 +189,7 @@ The available image file types are:
 
 -   **Windows Imaging File (WIM)** - used to deploy DaRT to a preboot execution environment (PXE) or local partition).
 
--   **International Standards Organization (ISO)** – used to deploy to CD or DVD, or for use in virtual machines (VM)s). The wizard requires that the ISO image have an .iso file name extension because most programs that burn a CD or DVD require that extension. If you do not specify a different location, the ISO image is created on your desktop with the name DaRT8.ISO.
+-   **ISO image file** – used to deploy to CD or DVD, or for use in virtual machines (VM)s). The wizard requires that the ISO image have an .iso file name extension because most programs that burn a CD or DVD require that extension. If you do not specify a different location, the ISO image is created on your desktop with the name DaRT8.ISO.
 
 -   **PowerShell script** – creates a DaRT recovery image with commands that provide essentially the same options that you can select by using the DaRT Recovery Image wizard. The script also enables you to add or changes files in the DaRT recovery image.
 
diff --git a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
index bfe000fee3..574338d185 100644
--- a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
+++ b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
@@ -32,8 +32,8 @@ In the following sections, complete the instructions that correspond to the vers
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
 
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
     [ SMS_Report (TRUE),
       SMS_Group_Name ("BitLocker Encryption Details"),
       SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")]
@@ -66,9 +66,9 @@ In the following sections, complete the instructions that correspond to the vers
         [ SMS_Report (TRUE) ]
         Boolean     IsAutoUnlockEnabled;
     };
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
 
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+    #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
     [ SMS_Report(TRUE),
       SMS_Group_Name("BitLocker Policy"),
       SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0")]
@@ -112,8 +112,8 @@ In the following sections, complete the instructions that correspond to the vers
     };
 
     //Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [ SMS_Report     (TRUE),
       SMS_Group_Name ("Operating System Ex"),
       SMS_Class_ID   ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ]
@@ -126,8 +126,8 @@ In the following sections, complete the instructions that correspond to the vers
     };
 
     //Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [ SMS_Report     (TRUE),
       SMS_Group_Name ("Computer System Ex"),
       SMS_Class_ID   ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ]
@@ -194,8 +194,8 @@ In the following sections, complete the instructions that correspond to the vers
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
 
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
     [ SMS_Report (TRUE),
       SMS_Group_Name ("BitLocker Encryption Details"),
       SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")]
@@ -229,8 +229,8 @@ In the following sections, complete the instructions that correspond to the vers
         Boolean     IsAutoUnlockEnabled;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
     [ SMS_Report(TRUE),
       SMS_Group_Name("BitLocker Policy"),
       SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"),
@@ -275,8 +275,8 @@ In the following sections, complete the instructions that correspond to the vers
         string    EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
     [ SMS_Report(TRUE),
       SMS_Group_Name("BitLocker Policy"),
       SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"),
@@ -322,8 +322,8 @@ In the following sections, complete the instructions that correspond to the vers
     };
 
     //Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [ SMS_Report     (TRUE),
       SMS_Group_Name ("Operating System Ex"),
       SMS_Class_ID   ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ]
@@ -336,8 +336,8 @@ In the following sections, complete the instructions that correspond to the vers
     };
 
     //Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [ SMS_Report     (TRUE),
       SMS_Group_Name ("Computer System Ex"),
       SMS_Class_ID   ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ]
diff --git a/mdop/mbam-v2/edit-the-configurationmof-file.md b/mdop/mbam-v2/edit-the-configurationmof-file.md
index 832f226de7..bef23c5b02 100644
--- a/mdop/mbam-v2/edit-the-configurationmof-file.md
+++ b/mdop/mbam-v2/edit-the-configurationmof-file.md
@@ -42,8 +42,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
     //===================================================
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
     [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class Win32_BitLockerEncryptionDetails
     {
@@ -75,8 +75,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         Boolean     IsAutoUnlockEnabled;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
      [DYNPROPS]
     Class Win32Reg_MBAMPolicy
     {
@@ -137,8 +137,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_OperatingSystemExtended
@@ -149,8 +149,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         uint32     SKU;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_ComputerSystemExtended
@@ -181,8 +181,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) 
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) 
     [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class Win32_BitLockerEncryptionDetails
     {
@@ -214,8 +214,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         Boolean     IsAutoUnlockEnabled;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
      [DYNPROPS]
     Class Win32Reg_MBAMPolicy
     {
@@ -276,8 +276,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
     [DYNPROPS]
     Class Win32Reg_MBAMPolicy_64
     {
@@ -338,8 +338,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_OperatingSystemExtended
@@ -350,8 +350,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         uint32     SKU;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_ComputerSystemExtended
diff --git a/mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md b/mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md
index ed35926a8b..e9c656984d 100644
--- a/mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md
+++ b/mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md
@@ -89,6 +89,14 @@ You can use your preferred method to view WMI. If you use PowerShell, run `gwmi
 <td align="left"><p>14</p></td>
 <td align="left"><p>AutoUnlock unsafe unless the OS volume is encrypted.</p></td>
 </tr>
+<tr class="even">
+<td align="left"><p>15</p></td>
+<td align="left"><p>Policy requires minimum cypher strength is XTS-AES-128 bit, actual cypher strength is weaker than that.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>16</p></td>
+<td align="left"><p>Policy requires minimum cypher strength is XTS-AES-256 bit, actual cypher strength is weaker than that.</p></td>
+</tr>
 </tbody>
 </table>
 
diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
index 78d2526dde..bb53d965cc 100644
--- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
+++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
@@ -69,30 +69,27 @@ The following diagram and table describe the recommended high-level architecture
 
 ![mbam2\-5](images/mbam2-5-cmserver.png)
 
-Server
-Features to configure on this server
-Description
-Database Server
+### Database Server
 
-Recovery Database
+#### Recovery Database
 
 This feature is configured on a computer running Windows Server and supported SQL Server instance.
 
 The **Recovery Database** stores recovery data that is collected from MBAM Client computers.
 
-Audit Database
+#### Audit Database
 
 This feature is configured on a computer running Windows Server and supported SQL Server instance.
 
 The **Audit Database** stores audit activity data that is collected from client computers that have accessed recovery data.
 
-Reports
+#### Reports
 
 This feature is configured on a computer running Windows Server and supported SQL Server instance.
 
 The **Reports** provide recovery audit data for the client computers in your enterprise. You can view reports from the Configuration Manager console or directly from SQL Server Reporting Services.
 
-Configuration Manager Primary Site Server
+### Configuration Manager Primary Site Server
 
 System Center Configuration Manager Integration feature
 
@@ -104,9 +101,9 @@ System Center Configuration Manager Integration feature
 
 -   The **Configuration Manager console** must be installed on the same computer on which you install the MBAM Server software.
 
-Administration and Monitoring Server
+### Administration and Monitoring Server
 
-Administration and Monitoring Website
+#### Administration and Monitoring Website
 
 This feature is configured on a computer running Windows Server.
 
@@ -116,13 +113,13 @@ The **Administration and Monitoring Website** is used to:
 
 -   View the Recovery Audit Report, which shows recovery activity for client computers. Other reports are viewed from the Configuration Manager console.
 
-Self-Service Portal
+#### Self-Service Portal
 
 This feature is configured on a computer running Windows Server.
 
 The **Self-Service Portal** is a website that enables end users on client computers to independently log on to a website to get a recovery key if they lose or forget their BitLocker password.
 
-Monitoring web services for this website
+#### Monitoring web services for this website
 
 This feature is installed on a computer running Windows Server.
 
@@ -133,9 +130,9 @@ The Monitoring Web Service is no longer available in Microsoft BitLocker Adminis
 
  
 
-Management Workstation
+### Management Workstation
 
-MBAM Group Policy Templates
+#### MBAM Group Policy Templates
 
 -   The **MBAM Group Policy Templates** are Group Policy settings that define implementation settings for MBAM, which enable you to manage BitLocker drive encryption.
 
@@ -146,9 +143,9 @@ MBAM Group Policy Templates
 
      
 
-MBAM Client and Configuration Manager Client computer
+### MBAM Client and Configuration Manager Client computer
 
-MBAM Client software
+#### MBAM Client software
 
 The **MBAM Client**:
 
@@ -158,7 +155,7 @@ The **MBAM Client**:
 
 -   Collects recovery information and computer information about the client computers.
 
-Configuration Manager Client
+#### Configuration Manager Client
 
 The **Configuration Manager Client** enables Configuration Manager to collect hardware compatibility data about the client computers and report compliance information.
 
diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
index 5c94f5c77b..791868131d 100644
--- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
+++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
@@ -20,7 +20,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
 
 **How to download and deploy the MDOP Group Policy templates**
 
-1.  Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=54957) 
+1.  Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531) 
 
 2.  Run the downloaded file to extract the template folders.
 
diff --git a/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md b/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md
index d6b256689e..51c1b74957 100644
--- a/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md
+++ b/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md
@@ -27,7 +27,7 @@ ADMX files can be installed and tested locally on any computer that runs the Win
 
 **To download the UE-V ADMX templates**
 
-1.  Download the UE-V ADMX template files: <https://go.microsoft.com/fwlink/p/?LinkId=393941>.
+1.  Download the UE-V ADMX template files: <https://www.microsoft.com/en-us/download/details.aspx?id=55531>.
 
 2.  For more information about how to deploy the Group Policy templates, see <https://go.microsoft.com/fwlink/p/?LinkId=393944>.
 
diff --git a/microsoft-365/TOC.md b/microsoft-365/TOC.md
new file mode 100644
index 0000000000..06913f7aef
--- /dev/null
+++ b/microsoft-365/TOC.md
@@ -0,0 +1 @@
+# [Index](index.md)
\ No newline at end of file
diff --git a/microsoft-365/docfx.json b/microsoft-365/docfx.json
new file mode 100644
index 0000000000..585130e915
--- /dev/null
+++ b/microsoft-365/docfx.json
@@ -0,0 +1,37 @@
+{
+  "build": {
+    "content": [
+      {
+        "files": [
+          "**/*.md"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "**/includes/**",
+          "README.md",
+          "LICENSE",
+          "LICENSE-CODE",
+          "ThirdPartyNotices"
+        ]
+      }
+    ],
+    "resource": [
+      {
+        "files": [
+          "**/*.png",
+          "**/*.jpg"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "**/includes/**"
+        ]
+      }
+    ],
+    "overwrite": [],
+    "externalReference": [],
+    "globalMetadata": {},
+    "fileMetadata": {},
+    "template": [],
+    "dest": "microsoft-365"
+  }
+}
\ No newline at end of file
diff --git a/microsoft-365/index.md b/microsoft-365/index.md
new file mode 100644
index 0000000000..9680f85fcc
--- /dev/null
+++ b/microsoft-365/index.md
@@ -0,0 +1,68 @@
+--- 
+layout: HubPage
+hide_bc: true
+author: v-kents
+ms.author: celested
+ms.topic: hub-page
+title: Microsoft 365 Documentation
+description: Microsoft 365 is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely. 
+---
+<div id="main" class="v2">
+    <div class="container">
+        <h1> Microsoft 365 Documentation</h1>
+        <ul class="pivots">
+            <li>
+                <a href="#home"></a>
+                <ul id="home">
+                    <li>
+                        <a href="#home-all"></a>
+                        <ul id="home-all" class="cardsW">
+                            <li class="fullSpan intro">[Microsoft 365](https://www.microsoft.com/microsoft-365/default.aspx) is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely.
+                            </li>
+                            <li>
+                                <a href="https://docs.microsoft.com/microsoft-365-enterprise/">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="/media/hubs/microsoft365/M365-enterprise.svg" alt="" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <br />
+                                                    <h3>Microsoft 365 Enterprise</h3>
+                                                    <p>Microsoft 365 Enterprise is designed for large organizations and integrates Office 365 Enterprise, Windows 10 Enterprise, and Enterprise Mobility + Security.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://docs.microsoft.com/microsoft-365-business/">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="/media/hubs/microsoft365/M365-business.svg" alt="" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <br />
+                                                    <h3>Microsoft 365 Business</h3>
+                                                    <p>Microsoft 365 Business is designed for small- to medium-sized businesses with up to 300 users and integrates Office 365 Business Premium with tailored security and management features from Windows 10, and Enterprise Mobility + Security. </p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                </ul>
+            </li>
+        </ul>
+    </div>
+</div>
\ No newline at end of file
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
index 514ff6cfea..0b9807c98b 100644
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@@ -14,12 +14,14 @@
 ### [Assign apps to employees](assign-apps-to-employees.md)
 ### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
 ### [Distribute offline apps](distribute-offline-apps.md)
-## [Manage apps](manage-apps-windows-store-for-business-overview.md)
+## [Manage apps and devices](manage-apps-windows-store-for-business-overview.md)
 ### [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-windows-store-for-business.md)
 ### [Manage app orders in Microsoft Store for Business and Education](manage-orders-windows-store-for-business.md)
 ### [Manage access to private store](manage-access-to-private-store.md)
 ### [Manage private store settings](manage-private-store-settings.md)
 ### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
+### [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md)
+### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md)
 ## [Device Guard signing portal](device-guard-signing-portal.md)
 ### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
 ### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
@@ -28,4 +30,5 @@
 ### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md)
 ## [Troubleshoot Microsoft Store for Business](troubleshoot-windows-store-for-business.md)
 ## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md)
+## [Change history for Microsoft Store for Business and Education](sfb-change-history.md)
 
diff --git a/store-for-business/acquire-apps-windows-store-for-business.md b/store-for-business/acquire-apps-windows-store-for-business.md
index a0af9518aa..aa700ada3e 100644
--- a/store-for-business/acquire-apps-windows-store-for-business.md
+++ b/store-for-business/acquire-apps-windows-store-for-business.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Acquire apps in Microsoft Store for Business and Education
diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md
index 1fb8b493b6..0f6cc91a16 100644
--- a/store-for-business/add-profile-to-devices.md
+++ b/store-for-business/add-profile-to-devices.md
@@ -8,7 +8,7 @@ ms.pagetype: store
 author: TrudyHa
 ms.author: TrudyHa
 ms.date: 07/05/2107
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage Windows device deployment with Windows AutoPilot Deployment
@@ -17,7 +17,10 @@ localizationpriority: high
 
 -   Windows 10
 
-Windows AutoPilot Deployment Program simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows AutoPilot](https://review.docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot?branch=dh-autopilot11975619).
+> [!IMPORTANT]
+> This topic has been updated to reflect the latest functionality, which we are releasing to customers in stages. You may not see all of the options described here until you receive the update.
+
+Windows AutoPilot Deployment Program simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows AutoPilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot).
 
 ## What is Windows AutoPilot Deployment Program?
 In Microsoft Store for Business, you can manage devices for your organization and apply an *AutoPilot deployment profile* to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. 
@@ -55,7 +58,7 @@ Columns in the device information file need to use this naming and be in this or
 - Column 2: Windows Product ID 
 - Column 3: Hardware Hash
 
-When you add devices, you need to add them to an *AutoPilot deployment group*. AutoPilot deployment groups allow you to apply an AutoPilot deployment profile to multiple devices. The first time you add devices to a group, you'll need to create an AutoPilot deployment group. 
+When you add devices, you need to add them to an *AutoPilot deployment group*. Use these groups to apply AutoPilot deployment profiles to a group of devices. The first time you add devices to a group, you'll need to create an AutoPilot deployment group. 
 
 > [!NOTE]
 > You can only add devices to a group when you add devices to **Microsoft Store for Business and Education**. If you decide to reorganize devices into different groups, you'll need to delete them from **Devices** in **Microsoft Store**, and add them again. 
@@ -107,13 +110,17 @@ After you've applied an AutoPilot deployment profile to a device, if you decide
 > The new profile will only be applied if the device has not been started, and gone through the out-of-box experience. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. 
 
 ## AutoPilot device information file error messages
-Here's more info on some of the errors you might see while working with AutoPilot deployment profiles in **Microsoft Store for Business and Education**. 
+Here's info on some of the errors you might see while working with AutoPilot deployment profiles in **Microsoft Store for Business and Education**. 
 
 | Message Id | Message explanation | 
 | ---------- | ------------------- |
 | wadp001    | Check your file, or ask your device partner for a complete .csv file. This file is missing Serial Number and Product Id info. |
 | wadp002    | Check your file, or ask your device partner for updated hardware hash info in the .csv file. Hardware hash info is invalid in the current .csv file. |
-| wadp003    | Looks like you need more than one csv file for your devices. The maximum allowed is 1,000 items. You’re over the limit! Divide this device data into multiple .csv files. |
+| wadp003    | Looks like you need more than one .csv file for your devices. The maximum allowed is 1,000 items. You’re over the limit! Divide this device data into multiple .csv files. |
 | wadp004    | Try that again. Something happened on our end. Waiting a bit might help. |
-| wadp005    | Check with your device provider for your csv file. One of the devices on your list has been claimed by another organization. |
-| wadp006    | Try that again. Something happened on our end. Waiting a bit might help. |
\ No newline at end of file
+| wadp005    | Check your .csv file with your device provider. One of the devices on your list has been claimed by another organization. |
+| wadp006    | Try that again. Something happened on our end. Waiting a bit might help. |
+| wadp007    | Check the info for this device in your .csv file. The device is already registered in your organization. |
+| wadp008    | The device does not meet AutoPilot Deployment requirements. |
+| wadp009    | Check with your device provider for an update .csv file. The current file doesn’t work |
+| wadp010    | Try that again. Something happened on our end. Waiting a bit might help. |
diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
index 46c453edf1..c3c6701559 100644
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store, security
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Add unsigned app to code integrity policy
diff --git a/store-for-business/app-inventory-management-windows-store-for-business.md b/store-for-business/app-inventory-management-windows-store-for-business.md
index 379618509a..062c2dbeef 100644
--- a/store-for-business/app-inventory-management-windows-store-for-business.md
+++ b/store-for-business/app-inventory-management-windows-store-for-business.md
@@ -7,6 +7,8 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+ms.author: TrudyHa
+ms.date: 06/29/2017
 ---
 
 # App inventory management for Microsoft Store for Business and Education
@@ -165,4 +167,16 @@ You can download offline-licensed apps from your inventory. You'll need to downl
 
 For more information about online and offline licenses, see [Apps in the Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model).
 
-For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
\ No newline at end of file
+For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
+
+## Manage products programmatically 
+
+Microsoft Store for Business and Education provides a set of Admin management APIs. If you orgranization develops scripts or tools, these APIs allow Admins to programmatically manage items in **Apps & software**. For more information, see [REST API reference for Microsoft Store for Business](https://docs.microsoft.com/windows/client-management/mdm/rest-api-reference-windows-store-for-business). 
+
+You can download a preview PoweShell script that uses REST APIs. The script is available from PowerShell Gallery. You can use to the script to:
+- View items in inventory (**Apps & software**)
+- Manage licenses - assigning and removing
+- Perform bulk options using .csv files - this automates license management for customers with large numbers of licenses
+
+> [!NOTE]
+> The Microsoft Store for Business and Education Admin role is required to manage products and to use the MSStore module. This requires advanced knowledge of PowerShell.  
\ No newline at end of file
diff --git a/store-for-business/apps-in-windows-store-for-business.md b/store-for-business/apps-in-windows-store-for-business.md
index 4c037486e6..116d6a33fa 100644
--- a/store-for-business/apps-in-windows-store-for-business.md
+++ b/store-for-business/apps-in-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Apps in Microsoft Store for Business and Education
diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md
index b2c821a77a..ff20b5bbab 100644
--- a/store-for-business/assign-apps-to-employees.md
+++ b/store-for-business/assign-apps-to-employees.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Assign apps to employees
diff --git a/store-for-business/configure-mdm-provider-windows-store-for-business.md b/store-for-business/configure-mdm-provider-windows-store-for-business.md
index 455c12dea0..2074e51990 100644
--- a/store-for-business/configure-mdm-provider-windows-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure an MDM provider
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index 4365cacfe3..f2fdf4a8d4 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store, security
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Device Guard signing
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index f93a4ac288..1b56b97f4b 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Distribute apps using your private store
diff --git a/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
index 21a610dc18..dc3de6e6a7 100644
--- a/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
+++ b/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Distribute apps to your employees from Microsoft Store for Business and Education
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index befde0855e..557c355557 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Distribute apps with a management tool
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index 72078b74da..1d3c0b70b4 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Distribute offline apps
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
index 9fe69e52a3..accb0bcea0 100644
--- a/store-for-business/docfx.json
+++ b/store-for-business/docfx.json
@@ -37,6 +37,7 @@
 		"ms.technology": "windows",
 		"ms.topic": "article",
 		"ms.date": "05/09/2017",
+    "searchScope": ["Store"],
 		"_op_documentIdPathDepotMapping": {
 			"./": {
 			  "depot_name": "MSDN.store-for-business"
diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md
index 1c2ebc03b3..52f7890448 100644
--- a/store-for-business/education/TOC.md
+++ b/store-for-business/education/TOC.md
@@ -14,6 +14,7 @@
 ## [Get Minecraft: Education Edition](/education/windows/get-minecraft-for-education?toc=/microsoft-store/education/toc.json)
 ### [For teachers: get Minecraft Education Edition](/education/windows/teacher-get-minecraft?toc=/microsoft-store/education/toc.json)
 ### [For IT administrators: get Minecraft Education Edition](/education/windows/school-get-minecraft?toc=/microsoft-store/education/toc.json)
+### [Get Minecraft: Education Edition with Windows 10 device promotion](/education/windows/get-minecraft-for-education?toc=/microsoft-store/education/toc.json)
 ## [Distribute apps to your employees from the Microsoft Store for Business and Education](/microsoft-store/distribute-apps-to-your-employees-windows-store-for-business?toc=/microsoft-store/education/toc.json)
 ### [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store?toc=/microsoft-store/education/toc.json)
 ### [Assign apps to employees](/microsoft-store/assign-apps-to-employees?toc=/microsoft-store/education/toc.json)
diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md
index fd460d3479..2a4a9e8fba 100644
--- a/store-for-business/find-and-acquire-apps-overview.md
+++ b/store-for-business/find-and-acquire-apps-overview.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Find and acquire apps
diff --git a/store-for-business/images/lob-sku.png b/store-for-business/images/lob-sku.png
new file mode 100644
index 0000000000..8637fd3f3d
Binary files /dev/null and b/store-for-business/images/lob-sku.png differ
diff --git a/store-for-business/index.md b/store-for-business/index.md
index f8fca9deb1..47bb90b981 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Microsoft Store for Business and Education
diff --git a/store-for-business/manage-apps-windows-store-for-business-overview.md b/store-for-business/manage-apps-windows-store-for-business-overview.md
index 6757e4eecd..e5c6524871 100644
--- a/store-for-business/manage-apps-windows-store-for-business-overview.md
+++ b/store-for-business/manage-apps-windows-store-for-business-overview.md
@@ -1,5 +1,5 @@
 ---
-title: Manage apps in Microsoft Store for Business (Windows 10)
+title: Manage apps and devices in Microsoft Store for Business (Windows 10)
 description: Manage settings and access to apps in Microsoft Store for Business.
 ms.assetid: 2F65D4C3-B02C-41CC-92F0-5D9937228202
 ms.prod: w10
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage apps in Microsoft Store for Business and Education
@@ -26,4 +26,5 @@ Manage settings and access to apps in Microsoft Store for Business and Microsoft
 | [Manage access to private store](manage-access-to-private-store.md) | You can manage access to your private store in Store for Business. |
 | [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-windows-store-for-business.md) | You can manage all apps that you've acquired on your **Apps & software** page. |
 | [Manage private store settings](manage-private-store-settings.md) | The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. |
-| [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) | For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Microsoft Store management tool services work with your third-party management tool to manage content. |
\ No newline at end of file
+| [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) | For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Microsoft Store management tool services work with your third-party management tool to manage content. |
+| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. |
\ No newline at end of file
diff --git a/store-for-business/manage-orders-windows-store-for-business.md b/store-for-business/manage-orders-windows-store-for-business.md
index eb5218d9ec..08da797130 100644
--- a/store-for-business/manage-orders-windows-store-for-business.md
+++ b/store-for-business/manage-orders-windows-store-for-business.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage app orders in Microsoft Store for Business and Education
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index 470e99fbed..af833aefb3 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage private store settings
diff --git a/store-for-business/manage-settings-windows-store-for-business.md b/store-for-business/manage-settings-windows-store-for-business.md
index 906f3174a0..f9592cd92e 100644
--- a/store-for-business/manage-settings-windows-store-for-business.md
+++ b/store-for-business/manage-settings-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage settings for Microsoft Store for Business and Education
diff --git a/store-for-business/manage-users-and-groups-windows-store-for-business.md b/store-for-business/manage-users-and-groups-windows-store-for-business.md
index f2cc141ca7..eb0834b8b6 100644
--- a/store-for-business/manage-users-and-groups-windows-store-for-business.md
+++ b/store-for-business/manage-users-and-groups-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage user accounts in Microsoft Store for Business and Education
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
new file mode 100644
index 0000000000..b36cf701fa
--- /dev/null
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -0,0 +1,155 @@
+---
+title: Microsoft Store for Business and Education PowerShell module - preview
+description: Preview version of PowerShell module 
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+localizationpriority: high
+ms.author:
+ms.date:  
+---
+
+# Microsoft Store for Business and Education PowerShell module - preview
+
+**Applies to**
+-   Windows 10
+
+Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459).
+
+> [!NOTE]
+> This is a preview and not intended for production environments. For production environments, continue to use **Microsoft Store for Business and Education** or your MDM tool to manage licenses. The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
+
+You can use the PowerShell module to:
+- View items you've purchased - shown in **Apps & software**
+- Manage licenses - assigning and removing
+- Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses
+
+>[!NOTE]
+>Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Azure Active Directory Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
+
+## Requirements
+To use the Microsoft Store for Business and Education PowerShell module, you'll need:
+- Administrator permission for the device
+- Admin role for Microsoft Store for Business and Education
+
+
+## Get started with Microsoft Store for Business and Education PowerShell module
+All of the **Microsoft Store for Business and Education** PowerShell cmdlets follow the *Verb*-MSStore*Noun* pattern to clearly indicate that they work with **Microsoft Store for Business and Education** PowerShell module. You will need to install the module on your Windows 10 device once and then import it into each PowerShell session you start.
+
+## Install Microsoft Store for Business and Education PowerShell module
+> [!NOTE]
+> Installing **Microsoft Store for Business and Education** PowerShell model using **PowerShellGet** requires [Windows Management Framework 5.0](http://www.microsoft.com/download/details.aspx?id=48729). The framework is included with Windows 10 by default).
+
+To install **Microsoft Store for Business and Education PowerShell** with PowerShellGet, run this command:
+
+```powershell
+# Install the Microsoft Store for Business and Education PowerShell module from PowerShell Gallery
+
+Install-Module -Name MSStore 
+
+``` 
+
+## Import MIcrosoft Store for Business and Education PowerShell module into the PowerShell session
+Once you install the module on your Windows 10 device, you will need to then import it into each PowerShell session you start.
+
+```powershell
+# Import the MSStore module into this session
+
+Import-Module -Name MSStore
+
+```
+
+Next, authorize the module to call **Microsoft Store for Business and Education** on your behalf. This step is required once, per user of the PowerShell module. 
+
+To authorize the PowerShell module, run this command. You'll need to sign-in with your work or school account, and authorize the module to access your tenant.
+
+```powershell
+# Grant MSStore Access to your Microsoft Store for Business and Education
+
+Grant-MSStoreClientAppAccess
+
+```
+You will be promted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Azure PowerShell cmdlets are loaded and ready to be used.
+
+## View items in Products and Services
+Service management should encounter no breaking changes as a result of the separation of Azure Service Management and **Microsoft Store for Business and Education PowerShell** preview. 
+
+```powershell
+# View items in inventory (Apps & software)
+
+Get-MSStoreInventory
+
+```
+
+>[!TIP]
+>**Get-MSStoreInventory** won't return the product name for line-of-business apps. To get the product ID and SKU for a line-of-business app:
+>
+>1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com/).
+>2. Click **Manage** and then choose **Apps & software**.
+>3. Click the line-of-business app. The URL of the page will contain the product ID and SKU as part of the URL. For example:
+>![Url after apps/ is product id and next is SKU](images/lob-sku.png)
+
+## View people assigned to a product
+Most items in **Products and Services** in **Microsoft Store for Business and Education** need to be assigned to people in your org. You can view the people in your org assigned to a specific product by using these commands:
+
+```powershell
+# View products assigned to people
+
+Get-MSStoreSeatAssignments -ProductId 9NBLGGH4R2R6 -SkuId 0016
+
+```
+
+> [!Important]
+> Microsoft Store for Business and Education identifies Minecraft: Education Edition license types using a combination of Product ID and SKU ID. To manage license assignments for your Minecraft: Education Edition, you need to specify Product and SKU IDs for the licenses you want to manage in the cmdlet. The following table lists the Product and SKU IDs.
+ 
+
+| License Type | Product ID | SKU ID |
+| ------------ | -----------| -------|
+| Purchased through Microsoft Store for Business and Education with a credit card | CFQ7TTC0K5DR | 0001 |
+| Purchased through Microsoft Store for Business and Education with an invoice | CFQ7TTC0K5DR | 0004 |
+| Purchased through Microsoft Volume Licensing Agreement | CFQ7TTC0K5DR | 0002 |
+| Acquired through Windows 10 device promotion | CFQ7TTC0K5DR | 0005 |  	 	
+
+## Assign or reclaim products
+Once you have enumerated items in **Products and Service**, you can assign or reclaim licenses to and from people in your org. 
+
+These commands assign a product to a user and then reclaim it.
+
+```powershell
+# Assign Product (Product ID and SKU ID combination) to a User (user@host.com)
+
+Add-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user@myorganization.onmicrosoft.com'
+
+# Reclaim a product (Product ID and SKU ID combination) from a User (user@host.com)
+
+Remove-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user@myorganization.onmicrosoft.com'
+
+```
+
+## Assign or reclaim a product with a .csv file
+You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for “Principal Names” (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module. 
+
+**To assign or reclaim seats in bulk:**
+
+```powershell
+# Assign Product (Product ID and SKU ID combination) to a User (user@host.com)
+
+Add-MSStoreSeatAssignments  -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C:\People.csv  -ColumnName UserPrincipalName
+
+# Reclaim a product (Product ID and SKU ID combination) from a User (user@host.com)
+
+Remove-MSStoreSeatAssignments  -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C:\People.csv -ColumnName UserPrincipalName
+
+```
+
+## Uninstall Microsoft Store for Business and Education PowerShell module
+You can remove **Microsoft Store for Business and Education PowerShell** from your computer by running the following PowerShell Command. 
+
+```powershell
+# Uninstall the MSStore Module
+
+Get-InstalledModule -Name "MSStore" -RequiredVersion 1.0 | Uninstall-Module
+
+```
\ No newline at end of file
diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md
index cb657a21ef..0d541ce0d6 100644
--- a/store-for-business/notifications-microsoft-store-business.md
+++ b/store-for-business/notifications-microsoft-store-business.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Notifications in Microsoft Store for Business and Education
diff --git a/store-for-business/prerequisites-windows-store-for-business.md b/store-for-business/prerequisites-windows-store-for-business.md
index c76035ac35..a07a501b9e 100644
--- a/store-for-business/prerequisites-windows-store-for-business.md
+++ b/store-for-business/prerequisites-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Prerequisites for Microsoft Store for Business and Education
diff --git a/store-for-business/roles-and-permissions-windows-store-for-business.md b/store-for-business/roles-and-permissions-windows-store-for-business.md
index 7a3cd37936..8b3a7e74a3 100644
--- a/store-for-business/roles-and-permissions-windows-store-for-business.md
+++ b/store-for-business/roles-and-permissions-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Roles and permissions in Microsoft Store for Business and Education
diff --git a/store-for-business/settings-reference-windows-store-for-business.md b/store-for-business/settings-reference-windows-store-for-business.md
index 08ce28a32e..09fbf09a41 100644
--- a/store-for-business/settings-reference-windows-store-for-business.md
+++ b/store-for-business/settings-reference-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Settings reference: Microsoft Store for Business and Education
diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md
new file mode 100644
index 0000000000..ed0904b3ee
--- /dev/null
+++ b/store-for-business/sfb-change-history.md
@@ -0,0 +1,46 @@
+---
+title: Change history for Microsoft Store for Business and Education
+description: Summary of topic changes for Microsoft Store for Business and Microsoft Store for Education. 
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+ms.author: TrudyHa
+ms.date: 07/12/2107
+ms.localizationpriority: high
+---
+
+# Change history for Microsoft Store for Business and Microsoft Store for Education  
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+## July 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | New |
+
+
+## June 2017
+| New or changed topic | Description |
+| -------------------- | ----------- |
+| [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) | New. Information about notification model in Microsoft Store for Business and Education. |
+| [Get Minecraft: Education Edition with Windows 10 device promotion](https://docs.microsoft.com/education/windows/get-minecraft-device-promotion) | New. Information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices.  |
+| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |
+
+## July 2017
+ 
+| New or changed topic | Description |
+| -------------------- | ----------- |
+| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | New. Information about Windows AutoPilot Deployment Program and how it is used in Microsoft Store for Business and Education.  |
+| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |
+ 
+
+
+
+
+
diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
index 28adabcee9..09775ac8fe 100644
--- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store, security
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Sign code integrity policy with Device Guard signing
diff --git a/store-for-business/sign-up-windows-store-for-business-overview.md b/store-for-business/sign-up-windows-store-for-business-overview.md
index 8b61671bfe..496e92c40e 100644
--- a/store-for-business/sign-up-windows-store-for-business-overview.md
+++ b/store-for-business/sign-up-windows-store-for-business-overview.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Sign up and get started
diff --git a/store-for-business/sign-up-windows-store-for-business.md b/store-for-business/sign-up-windows-store-for-business.md
index f716149cbc..cd3f6bd322 100644
--- a/store-for-business/sign-up-windows-store-for-business.md
+++ b/store-for-business/sign-up-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Sign up for Microsoft Store for Business or Microsoft Store for Education
diff --git a/store-for-business/troubleshoot-windows-store-for-business.md b/store-for-business/troubleshoot-windows-store-for-business.md
index b12f94afae..2443391b42 100644
--- a/store-for-business/troubleshoot-windows-store-for-business.md
+++ b/store-for-business/troubleshoot-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Troubleshoot Microsoft Store for Business
diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md
index f844b5251a..f88eec0840 100644
--- a/store-for-business/update-windows-store-for-business-account-settings.md
+++ b/store-for-business/update-windows-store-for-business-account-settings.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Update Microsoft Store for Business and Microsoft Store for Education account settings
@@ -56,6 +56,7 @@ Taxes for Microsoft Store for Business purchases are determined by your business
 - Lithuania
 - Luxembourg
 - Malta
+- Monaco
 - Netherlands
 - Norway
 - Poland
@@ -74,8 +75,10 @@ These countries can provide their VAT number or local equivalent in **Payments &
 |------|----------------|
 | Australia | ABN (optional) |
 | Brazil | CNPJ (required) |
-| India | CST ID, VAT ID (both are optional) |
+| India | GSTIN (optional), PAN ID (required) |
+| Isle of Man | VAT ID (optional) |
 | New Zealand | GST Registration number (optional) |
+| Monaco | VAT ID (optional) |
 | Taiwan | VAT ID (optional) |
 
 ### Tax-exempt status 
diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md
index 5bc9195325..0ec624a13e 100644
--- a/store-for-business/windows-store-for-business-overview.md
+++ b/store-for-business/windows-store-for-business-overview.md
@@ -7,7 +7,7 @@ ms.pagetype: store, mobile
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Microsoft Store for Business and Microsoft Store for Education overview
@@ -157,16 +157,20 @@ For more information, see [Manage settings in the Store for Business](manage-set
 
 Microsoft Store for Business and Education is currently available in these markets.
 
-### Support for free and paid apps
+### Support for free and paid products
 <table>
    <tr>
-        <th align="center" colspan="4">Support for free and paid apps</th>
+        <th align="center" colspan="4">Supports all free and paid products</th>
    </tr>
    <tr align="left">
      <td>
         <ul>
+            <li>Afghanistan</li>
             <li>Algeria</li>
+            <li>Andorra</li>
             <li>Angola</li>
+            <li>Anguilla</li>
+            <li>Antigua and Barbuda</li>
             <li>Argentina</li>
             <li>Australia</li>
             <li>Austria</li>
@@ -177,41 +181,48 @@ Microsoft Store for Business and Education is currently available in these marke
             <li>Belgium</li>
             <li>Belize</li>
             <li>Bermuda</li>
+            <li>Benin</li>
             <li>Bhutan</li>
             <li>Bolivia</li>
+            <li>Bonaire</li>
             <li>Botswana</li>
             <li>Brunei Darussalam</li>
             <li>Bulgaria</li>
+            <li>Burundi</li>
             <li>Cambodia</li>
             <li>Cameroon</li>
             <li>Canada</li>
-            <li>Republic of Cabo Verde</li>
             <li>Cayman Islands</li>
             <li>Chile</li>
             <li>Colombia</li>
+            <li>Comoros</li>
             <li>Costa Rica</li>
             <li>C&ocirc;te D'ivoire</li>
             <li>Croatia</li>
             <li>Cur&ccedil;ao</li>
             <li>Cyprus</li>
-        </ul>
-    </td>
-     <td>
-        <ul>
             <li>Czech Republic</li>
             <li>Denmark</li>
             <li>Dominican Republic</li>
             <li>Ecuador</li>
+        </ul>
+     </td>
+     <td>
+        <ul> 
             <li>Egypt</li>
             <li>El Salvador</li>
             <li>Estonia</li>
+            <li>Ethiopia</li>
             <li>Faroe Islands</li>
             <li>Fiji</li>
             <li>Finland</li>
             <li>France</li>
+            <li>French Guiana</li>
+            <li>French Polynesia</li>
             <li>Germany</li>
             <li>Ghana</li>
             <li>Greece</li>
+            <li>Greenland</li>
             <li>Guadeloupe</li>
             <li>Guatemala</li>
             <li>Honduras</li>
@@ -225,29 +236,42 @@ Microsoft Store for Business and Education is currently available in these marke
             <li>Italy</li>
             <li>Jamaica</li>
             <li>Japan</li>
+            <li>Jersey</li>
             <li>Jordan</li>
-            <li>Kenya</li> 
-        </ul>
-    </td>
-    <td>
-        <ul>
+            <li>Kenya</li>
             <li>Kuwait</li>
+            <li>Laos</li>
             <li>Latvia</li>
             <li>Lebanon</li>
             <li>Libya</li>
             <li>Liechtenstein</li>
             <li>Lithuania</li>
             <li>Luxembourg</li>
+            <li>Macedonia</li>
+            <li>Madagascar</li>
+        </ul>
+    </td>
+     <td>
+        <ul>
+            <li>Malawi</li>
             <li>Malaysia</li>
+            <li>Maldives</li>
+            <li>Mali</li>
             <li>Malta</li>
+            <li>Marshall Islands</li>
+            <li>Martinique</li>
             <li>Mauritius</li>
+            <li>Mayotte</li>
             <li>Mexico</li>
             <li>Mongolia</li>
             <li>Montenegro</li>
             <li>Morocco</li>
             <li>Mozambique</li>
+            <li>Myanamar</li>
             <li>Namibia</li>
+            <li>Nepal</li>
             <li>Netherlands</li>
+            <li>New Caledonia</li>
             <li>New Zealand</li>
             <li>Nicaragua</li>
             <li>Nigeria</li>
@@ -256,48 +280,60 @@ Microsoft Store for Business and Education is currently available in these marke
             <li>Pakistan</li>
             <li>Palestinian Authority</li>
             <li>Panama</li>
+            <li>Papua New Guinea</li>
             <li>Paraguay</li>
             <li>Peru</li>
             <li>Philippines</li>
-            <li>Poland</li>          
+            <li>Poland</li>
+            <li>Portugal</li>
+            <li>Puerto Rico</li>
+            <li>Qatar</li>
+            <li>Republic of Cabo Verde</li>
+            <li>Reunion</li>
+            <li>Romania</li>
+            <li>Rwanda</li>
+            <li>Saint Kitts and Nevis</li> 
         </ul>
     </td>
     <td>
         <ul>
-            <li>Portugal</li>
-            <li>Puerto Rico</li>
-            <li>Qatar</li>
-            <li>Romania</li>
-            <li>Rwanda</li>
-            <li>Saint Kitts and Nevis</li>
+            <li>Saint Lucia</li>
+            <li>Saint Martin</li>
+            <li>Saint Vincent and the Grenadines</li>
+            <li>San marino</li>
             <li>Saudi Arabia</li>
             <li>Senegal</li>
             <li>Serbia</li>
+            <li>Seychelles</li>
             <li>Singapore</li>
+            <li>Sint Maarten</li>
             <li>Slovakia</li>
             <li>Slovenia</li>
             <li>South Africa</li>
             <li>Spain</li>
+            <li>Sri Lanka</li>
+            <li>Suriname</li>
             <li>Sweden</li>
             <li>Switzerland</li>
             <li>Tanzania</li>
             <li>Thailand</li>
+            <li>Timor-Leste</li>
+            <li>Togo</li>
+            <li>Tonga</li>
             <li>Trinidad and Tobago</li>
             <li>Tunisia</li>
             <li>Turkey</li>
+            <li>Turks and Caicos Islands</li>
             <li>Uganda</li>
             <li>United Arab Emirates</li>
             <li>United Kingdom</li>
-            <li>United States</li>           
-        </ul>
-    </td>
-    <td>
-        <ul>
+            <li>United States</li>
             <li>Uruguay</li>
+            <li>Vatican City</li>
             <li>Viet Nam</li>
             <li>Virgin Islands, U.S.</li>
             <li>Zambia</li>
-            <li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li>           
+            <li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;</li>         
         </ul>
     </td>
    </tr>
@@ -305,7 +341,6 @@ Microsoft Store for Business and Education is currently available in these marke
 
 ### Support for free apps
 Customers in these markets can use Microsoft Store for Business and Education to acquire free apps:
-- India
 - Russia 
 
 ### Support for free apps and Minecraft: Education Edition
@@ -317,8 +352,11 @@ Customers in these markets can use Microsoft Store for Business and Education to
 - Bosnia
 - Brazil
 - Georgia
+- India
+- Isle of Man
 - Kazakhstan
 - Korea
+- Monaco
 - Republic of Moldova
 - Taiwan
 - Tajikistan
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index ca39d9903b..1c683c1be0 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Working with line-of-business apps
diff --git a/windows/access-protection/TOC.md b/windows/access-protection/TOC.md
index d9e141960f..7dbb46c015 100644
--- a/windows/access-protection/TOC.md
+++ b/windows/access-protection/TOC.md
@@ -179,11 +179,4 @@
 ##### [Verify That Network Traffic Is Authenticated](windows-firewall/verify-that-network-traffic-is-authenticated.md)
 
 ## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)
-### [How Windows Hello for Business works](hello-for-business/hello-how-it-works.md)
-### [Manage Windows Hello for Business in your organization](hello-for-business/hello-manage-in-organization.md)
-### [Why a PIN is better than a password](hello-for-business/hello-why-pin-is-better-than-password.md)
-### [Prepare people to use Windows Hello](hello-for-business/hello-prepare-people-to-use.md)
-### [Windows Hello and password changes](hello-for-business/hello-and-password-changes.md)
-### [Windows Hello errors during PIN creation](hello-for-business/hello-errors-during-pin-creation.md)
-### [Event ID 300 - Windows Hello successfully created](hello-for-business/hello-event-300.md)
-### [Windows Hello biometrics in the enterprise](hello-for-business/hello-biometrics-in-enterprise.md)
+
diff --git a/windows/access-protection/access-control/access-control.md b/windows/access-protection/access-control/access-control.md
index 006ffb29ab..018b69744e 100644
--- a/windows/access-protection/access-control/access-control.md
+++ b/windows/access-protection/access-control/access-control.md
@@ -114,7 +114,7 @@ User rights grant specific privileges and sign-in rights to users and groups in
 
 User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
 
-For more information about user rights, see [User Rights Assignment](/windows/device-security/security-policy-settings/access-user-rights-assignment).
+For more information about user rights, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
 
 ## Object auditing
 
diff --git a/windows/access-protection/access-control/microsoft-accounts.md b/windows/access-protection/access-control/microsoft-accounts.md
index 4b54894c21..01efb97d0a 100644
--- a/windows/access-protection/access-control/microsoft-accounts.md
+++ b/windows/access-protection/access-control/microsoft-accounts.md
@@ -14,20 +14,12 @@ ms.pagetype: security
 
 This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
 
-Microsoft sites, services, and properties such as Windows Live, MSN, Xbox LIVE, Zune, Windows Phone, and computers running Windows 10, Windows 8.1, Windows 8, and Windows RT use a Microsoft account as a mean of identifying users. Microsoft account is the name for what was previously called Windows Live ID. It has user-defined secrets associated with it, and it consists of a unique email address and a password.
+Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a mean of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password.
 
-There are some benefits and considerations when using Microsoft accounts in the enterprise. For more information, see [Microsoft account in the enterprise](#bkmk-msaccountintheenterprise) later in this topic.
-
-When a user signs in with a Microsoft account, their device is connected to cloud services, and many of the settings, preferences, and apps associated with that user account can roam between devices.
-
-**Note**  
-This content applies to the operating system versions that are designated in the **Applies To** list at the beginning of this topic.
-
- 
+When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices.
 
 ## <a href="" id="bkmk-benefits"></a>How a Microsoft account works
 
-
 The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Windows Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
 
 When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed.
@@ -35,19 +27,17 @@ When users sign in to websites that are enabled to use a Microsoft account, a ti
 **Important**  
 Local Windows account functionality has not been removed, and it is still an option to use in managed environments.
 
- 
-
 ### How Microsoft accounts are created
 
-To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. If a user tries to create multiple Microsoft accounts with the same IP address, they are stopped.
+To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. A user who tries to create multiple Microsoft accounts with the same IP address is stopped.
 
-Microsoft accounts are not designed to be created in batches, for example, for a group of domain users within your enterprise.
+Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise.
 
 There are two methods for creating a Microsoft account:
 
 -   **Use an existing email address**.
 
-    Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal password.
+    Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal passwords.
 
 -   **Sign up for a Microsoft email address**.
 
@@ -118,13 +108,46 @@ Depending on your IT and business models, introducing Microsoft accounts into yo
 
 ### <a href="" id="bkmk-restrictuse"></a>Restrict the use of the Microsoft account
 
-If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
+The following Group Policy settings help control the use of Microsoft accounts in the enterprise:
 
-The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can:
+- [Block all consumer Microsoft account user authentication](#block-all-consumer-microsoft-account-user-authentication)
+- [Accounts: Block Microsoft accounts](#accounts-block-microsoft-accounts)
 
-1.  Prevent users from creating new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+#### Block all consumer Microsoft account user authentication
 
-2.  Prevent users with an existing Microsoft account from signing in to Windows. Selecting this option might make it impossible for an existing administrator to sign in to a computer and manage the system.
+This setting controls whether users can provide Microsoft accounts for authentication for applications or services.
+
+If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. 
+This applies both to existing users of a device and new users who may be added. 
+
+However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. 
+It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present.
+
+If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. 
+By default, this setting is **Disabled**.
+
+This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
+
+The path to this setting is:
+
+Computer Configuration\Administrative Templates\Windows Components\Microsoft account
+
+#### Accounts: Block Microsoft accounts
+
+This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. 
+
+There are two options if this setting is enabled:
+
+- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
+- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
+
+This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as **Mail**, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services).
+
+By default, this setting is **Not defined**.
+
+The path to this setting is:
+
+Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
 
 ### <a href="" id="bkmk-cfgconnectedaccounts"></a>Configure connected accounts
 
@@ -135,8 +158,6 @@ Users can disconnect a Microsoft account from their domain account at any time a
 **Note**  
 Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account.
 
- 
-
 ### <a href="" id="bkmk-provisionaccounts"></a>Provision Microsoft accounts in the enterprise
 
 Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts.
diff --git a/windows/access-protection/change-history-for-access-protection.md b/windows/access-protection/change-history-for-access-protection.md
index 84f9f86663..98eb8cc435 100644
--- a/windows/access-protection/change-history-for-access-protection.md
+++ b/windows/access-protection/change-history-for-access-protection.md
@@ -11,6 +11,11 @@ author: brianlic-msft
 # Change history for access protection
 This topic lists new and updated topics in the [Access protection](index.md) documentation.
 
+## August 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.|
+
 ## March 2017
 |New or changed topic |Description |
 |---------------------|------------|
diff --git a/windows/access-protection/configure-s-mime.md b/windows/access-protection/configure-s-mime.md
index 61abd34c67..d2b4456dc9 100644
--- a/windows/access-protection/configure-s-mime.md
+++ b/windows/access-protection/configure-s-mime.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 
diff --git a/windows/access-protection/credential-guard/additional-mitigations.md b/windows/access-protection/credential-guard/additional-mitigations.md
index 706bdef10b..b51485e74c 100644
--- a/windows/access-protection/credential-guard/additional-mitigations.md
+++ b/windows/access-protection/credential-guard/additional-mitigations.md
@@ -1,21 +1,21 @@
 ---
-title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10)
-description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10.
+title: Additional mitigations
+description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Windows Defender Credential Guard on Windows 10.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
 ## Additional mitigations
 
-Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
+Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
 
 ### Restricting domain users to specific domain-joined devices
 
-Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
 
 #### Kerberos armoring
 
@@ -25,11 +25,11 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
 
 -   Users need to be in domains that are running Windows Server 2012 R2 or higher
 -   All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
--   All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
+-   All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
 
 #### Protecting domain-joined device secrets
 
-Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
 
 Domain-joined device certificate authentication has the following requirements:
 -   Devices' accounts are in Windows Server 2012 domain functional level or higher.
@@ -59,7 +59,7 @@ For example, let's say you wanted to use the High Assurance policy only on these
 8.  Under **Issuance Policies**, click**High Assurance**.
 9.  On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
 
-Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created.
 
 **Enrolling devices in a certificate**
 
@@ -126,7 +126,7 @@ Authentication policies have the following requirements:
 
 To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
 
-To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
+To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/library/dn486813(v=ws.11).aspx).
 
 ### Appendix: Scripts
 
@@ -607,6 +607,6 @@ write-host $tmp -Foreground Red
 
 ## See also
 
-**Deep Dive into Credential Guard: Related videos**
+**Deep Dive into Windows Defender Credential Guard: Related videos**
 
-[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
+[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/access-protection/credential-guard/credential-guard-considerations.md b/windows/access-protection/credential-guard/credential-guard-considerations.md
index 1663325a24..6b15f98feb 100644
--- a/windows/access-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/access-protection/credential-guard/credential-guard-considerations.md
@@ -1,43 +1,97 @@
 ---
-title: Considerations when using Credential Guard (Windows 10)
-description: Considerations and recommendations for certain scenarios when using Credential Guard in Windows 10.
+title: Considerations when using Windows Defender Credential Guard (Windows 10)
+description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows 10.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Considerations when using Credential Guard
+# Considerations when using Windows Defender Credential Guard
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
-in the Deep Dive into Credential Guard video series.
+Prefer video? See [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
+in the **Deep Dive into Windows Defender Credential Guard** video series.
      
--  Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
--   Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
--   As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
-
--   Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:
-    -   Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
-    -   Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
-    -   You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
-    - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. 
+Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
+   
+Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported. 
 
 ## Wi-fi and VPN Considerations
-When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. 
-
+When you enable Windows Defender Credential Guard, you can no longer use NTLM classic deployment model authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. 
 
 ## Kerberos Considerations
 
-When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
+When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead.
+
+## 3rd Party Security Support Providers Considerations
+Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
+
+## Upgrade Considerations
+As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard.
+
+### Saved Windows Credentials Protected
+
+Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites are not protected since the applications require your cleartext password. If the application does not need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
+    -   Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
+    -   Applications that extract Windows credentials fail.
+    -   When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
+
+## Clearing TPM Considerations
+Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost.  
+
+>[!WARNING] 
+> Clearing the TPM results in loss of protected data for all features that use VBS to protect data.  <br>
+> When a TPM is cleared ALL features, which use VBS to protect data can no longer decrypt their protected data.
+
+As a result Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever.
+
+>[!NOTE] 
+> Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the next system startup. 
+
+### Windows credentials saved to Credential Manager
+Since Credential Manager cannot decrypt saved Windows Credentials, they are deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. 
+
+### Domain-joined device’s automatically provisioned public key
+Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+
+Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy disabled. For more information on Configuring device to only use public key, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+
+Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx).
+
+### Breaking DPAPI on domain-joined devices
+On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery is not possible. 
+
+>[!IMPORTANT] 
+> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior. <br>
+Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost. 
+
+If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
+
+Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a domain controller: 
+
+|Credential Type | Windows 10 version | Behavior                             
+|---|---|---|
+| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI does not work at all. |
+| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
+| Password | Windows 10 v1703 | If the user signed-in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected.
+| Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data.
+
+Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
+
+#### Impact of DPAPI failures on Windows Information Protection
+When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection.  The impact includes: Outlook 2016 is unable to start and work protected documents cannot be opened.  If DPAPI is working, then newly created work data is protected and can be accessed.  
+
+**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
+
 
 ## See also
 
-**Deep Dive into Credential Guard: Related videos**
+**Deep Dive into Windows Defender Credential Guard: Related videos**
 
 [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
diff --git a/windows/access-protection/credential-guard/credential-guard-how-it-works.md b/windows/access-protection/credential-guard/credential-guard-how-it-works.md
index da731369ea..77e7afc566 100644
--- a/windows/access-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/access-protection/credential-guard/credential-guard-how-it-works.md
@@ -1,44 +1,43 @@
 ---
-title: How Credential Guard works
-description: Using virtualization-based security, Credential Guard features a new component called the isolated LSA process, which stores and protects secrets, isolating them from the rest of the operating system, so that only privileged system software can access them. 
+title: How Windows Defender Credential Guard works
+description: Using virtualization-based security, Windows Defender Credential Guard features a new component called the isolated LSA process, which stores and protects secrets, isolating them from the rest of the operating system, so that only privileged system software can access them. 
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# How Credential Guard works
+# How Windows Defender Credential Guard works
 
 **Applies to**  
 - Windows 10  
 - Windows Server 2016  
 
 
-Prefer video? See [Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)  in the Deep Dive into Credential Guard video series.
+Prefer video? See [Windows Defender Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) in the **Deep Dive into Windows Defender Credential Guard** video series.
 
-
-Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
 
 For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
 
-When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
+When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Windows Defender Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
 
-When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
+When Windows Defender Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
 
 Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
 
-![Credential Guard overview](images/credguard.png)  
+![Windows Defender Credential Guard overview](images/credguard.png)  
 
 <br>
 
 ## See also
 
-**Deep Dive into Credential Guard: Related videos**
+**Deep Dive into Windows Defender Credential Guard: Related videos**
 
 [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474)
 
 [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
 
-[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
\ No newline at end of file
+[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
\ No newline at end of file
diff --git a/windows/access-protection/credential-guard/credential-guard-known-issues.md b/windows/access-protection/credential-guard/credential-guard-known-issues.md
index d3b2ea0fff..9e81fbf823 100644
--- a/windows/access-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/access-protection/credential-guard/credential-guard-known-issues.md
@@ -1,49 +1,66 @@
 ---
-title: Credential Guard Known issues (Windows 10)
-description: Credential Guard - Known issues in Windows 10 Enterprise
+title: Windows Defender Credential Guard - Known issues (Windows 10)
+description: Windows Defender Credential Guard - Known issues in Windows 10 Enterprise
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-#  Credential Guard: Known issues 
+#  Windows Defender Credential Guard: Known issues 
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
  
-Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). 
+Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when it is enabled. For further information, see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). 
 
-The following known issue has been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
+The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
 
--	 [KB4015217 Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/en-us/help/4015217/windows-10-update-kb4015217)
+-	 [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
 
-     This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us/help/4015219/windows-10-update-kb4015219) and 
-[KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221)
+     This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221)
+
+
+-	[KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
+
+      This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems:
+
+    - Windows 10 Version 1607 and Windows Server 2016: 
+    [KB4015217 (OS Build 14393.1066 and 14393.1083)](https://support.microsoft.com/help/4015217) 
+    - Windows 10 Version 1511: [KB4015219 (OS Build 10586.873)](https://support.microsoft.com/help/4015219)
+    - Windows 10 Version 1507: [KB4015221 (OS Build 10240.17354)](https://support.microsoft.com/help/4015221)
+
+## Known issues involving third-party applications
+
+The following issue affects the Java GSS API. See the following Oracle bug database article: 
+
+-	[JDK-8161921: Windows 10 Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
+
+When Windows Defender Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
 
 The following issue affects Cisco AnyConnect Secure Mobility Client:
 
--	[Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
+-	[Blue screen on Windows 10 computers running Windows Defender Device Guard and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
 
 *Registration required to access this article. 
 
 The following issue affects McAfee Application and Change Control (MACC):
--	[KB88869 Windows 10 machines exhibit high CPU  sage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) <sup>[1]</sup>
+-	[KB88869 Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) <sup>[1]</sup>
    
 
 The following issue affects AppSense Environment Manager.
   For further information, see the following Knowledge Base article:
--	[Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) <sup>[1]</sup> \**
+-	[Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) <sup>[1]</sup> \**
 
 The following issue affects Citrix applications:
--	 Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled. <sup>[1]</sup>
+-	 Windows 10 machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. <sup>[1]</sup>
 
-<sup>[1]</sup> Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
+<sup>[1]</sup> Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
 
--	 [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/en-us/help/4032786)
+-	 [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786)
     
 For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx)
     
@@ -56,23 +73,23 @@ For further technical information on LSAISO.exe, see the MSDN article: [Isolated
 See the following article on Citrix support for Secure Boot:
 -	[Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
 
-Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
+Windows Defender Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
 
--	For Credential Guard on Windows 10 with McAfee Encryption products, see:
-[Support for Device Guard and Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
+-	For Windows Defender Credential Guard on Windows 10 with McAfee Encryption products, see:
+[Support for Windows Defender Device Guard and Windows Defender Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
 
--	For Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
-[Check Point Endpoint Security Client support for Microsoft Windows 10 Credential Guard and Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
+-	For Windows Defender Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
+[Check Point Endpoint Security Client support for Microsoft Windows 10 Windows Defender Credential Guard and Windows Defender Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
 
--	For Credential Guard on Windows 10 with VMWare Workstation
-[Windows 10 host fails when running VMWare Workstation when Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
+-	For Windows Defender Credential Guard on Windows 10 with VMWare Workstation
+[Windows 10 host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
 
--	For Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
-[ThinkPad support for Device Guard and Credential Guard in Microsoft Windows 10 – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
+-	For Windows Defender Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
+[ThinkPad support for Windows Defender Device Guard and Windows Defender Credential Guard in Microsoft Windows 10 – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
 
--	For Credential Guard on Windows 10 with Symantec Endpoint Protection
-[Windows 10 with Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
+-	For Windows Defender Credential Guard on Windows 10 with Symantec Endpoint Protection
+[Windows 10 with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
 
- This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Credential guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Credential Guard. 
+ This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Windows Defender Credential Guard. 
 
  Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
\ No newline at end of file
diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md
index ee41c90cff..46fce57a6e 100644
--- a/windows/access-protection/credential-guard/credential-guard-manage.md
+++ b/windows/access-protection/credential-guard/credential-guard-manage.md
@@ -1,46 +1,46 @@
 ---
-title: Manage Credential Guard (Windows 10)
-description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
+title: Manage Windows Defender Credential Guard (Windows 10)
+description: Deploying and managing Windows Defender Credential Guard using Group Policy, the registry, or the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Manage Credential Guard
+# Manage Windows Defender Credential Guard
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See [Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Credential Guard video series.
+Prefer video? See [Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Windows Defender Credential Guard video series.
 
-## Enable Credential Guard
-Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. 
-The same set of procedures used to enable Credential Guard on physical machines applies also to virtual machines.
+## Enable Windows Defender Credential Guard
+Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. 
+The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
 
 
-### Enable Credential Guard by using Group Policy
+### Enable Windows Defender Credential Guard by using Group Policy
 
-You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed.
+You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed.
 
-1.  From the Group Policy Management Console, go to **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard**.
+1.  From the Group Policy Management Console, go to **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Windows Defender Device Guard**.
 2.  Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
 3.  **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
-4.  In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**.
+4.  In the **Windows Defender Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
 
-    ![Credential Guard Group Policy setting](images/credguard-gp.png)
+    ![Windows Defender Credential Guard Group Policy setting](images/credguard-gp.png)
     
 5.  Close the Group Policy Management Console.
 
 To enforce processing of the group policy, you can run ```gpupdate /force```. 
 
 
-### Enable Credential Guard by using the registry
+### Enable Windows Defender Credential Guard by using the registry
 
-If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
+If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
 
 #### Add the virtualization-based security features
 
@@ -49,7 +49,7 @@ Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows
 If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. 
 You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
 > [!NOTE]  
-If you enable Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
+If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
 
  
 **Add the virtualization-based security features by using Programs and Features**
@@ -75,55 +75,46 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window
 > [!NOTE]  
 > You can also add these features to an online image by using either DISM or Configuration Manager.
 
-#### Enable virtualization-based security and Credential Guard
+#### Enable virtualization-based security and Windows Defender Credential Guard
 
 1.  Open Registry Editor.
 2.  Enable virtualization-based security:
     -   Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
     -   Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
     -   Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
-3.  Enable Credential Guard:
+3.  Enable Windows Defender Credential Guard:
     -   Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
-    -   Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it.
+    -   Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
 4.  Close Registry Editor.
 
 
 > [!NOTE]  
-> You can also enable Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
 
 <span id="hardware-readiness-tool" />
-### Enable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
 
-You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 
 ```
 DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot
 ```
 
-### Credential Guard deployment in virtual machines
+### Review Windows Defender Credential Guard performance
 
-Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
+**Is Windows Defender Credential Guard running?**
 
-#### Requirements for running Credential Guard in Hyper-V virtual machines
-
-- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
-- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. 
-
-### Review Credential Guard performance
-
-**Is Credential Guard running?**
-
-You can view System Information to check that Credential Guard is running on a PC.
+You can view System Information to check that Windows Defender Credential Guard is running on a PC.
 
 1.  Click **Start**, type **msinfo32.exe**, and then click **System Information**.
 2.  Click **System Summary**.
-3.  Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**.
+3.  Confirm that **Windows Defender Credential Guard** is shown next to **Windows Defender Device Guard Security Services Running**.
 
     Here's an example:
     
     ![System Information](images/credguard-msinfo32.png)
 
-You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 
 ```
 DG_Readiness_Tool_v3.2.ps1 -Ready
@@ -133,24 +124,24 @@ DG_Readiness_Tool_v3.2.ps1 -Ready
 
 For client machines that are running Windows 10 1703, LSAIso is running whenever Virtualization based security is enabled for other features.
 
--   If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard should be enabled before the PC is joined to a domain.
+-   If Windows Defender Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Windows Defender Credential Guard should be enabled before the PC is joined to a domain.
 
--   You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
-    -   **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
-    -   **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
-        -   The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
+-   You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
+    -   **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
+    -   **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: 0x1, 0
+        -   The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it’s not configured to run.
         -   The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
-    -   **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
-    -   **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
-    -   **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
+    -   **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
+    -   **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
+    -   **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
     You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
         -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
       
-## Disable Credential Guard
+## Disable Windows Defender Credential Guard
 
-If you have to disable Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
+If you have to disable Windows Defender Credential Guard on a PC, you can use the following set of procedures, or you can [use the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
 
-1.  If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
+1.  If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Windows Defender Device Guard** -&gt; **Turn on Virtualization Based Security**).
 2.  Delete the following registry settings:
     - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
     - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
@@ -159,7 +150,7 @@ If you have to disable Credential Guard on a PC, you can use the following set o
     > [!IMPORTANT]  
     > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
 
-3.  Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
+3.  Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
     ``` syntax
 
     mountvol X: /s
@@ -180,26 +171,26 @@ If you have to disable Credential Guard on a PC, you can use the following set o
     
     ```
 2.  Restart the PC.
-3.  Accept the prompt to disable Credential Guard.
-4.  Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
+3.  Accept the prompt to disable Windows Defender Credential Guard.
+4.  Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
 
 > [!NOTE]  
-> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
+> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
 
-For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
+For more info on virtualization-based security and Windows Defender Device Guard, see [Windows Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
 
 <span id="turn-off-with-hardware-readiness-tool" />
-#### Disable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+#### Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
 
-You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 
 ```
 DG_Readiness_Tool_v3.2.ps1 -Disable -AutoReboot
 ```
 
-#### Disable Credential Guard for a virtual machine
+#### Disable Windows Defender Credential Guard for a virtual machine
 
-From the host, you can disable Credential Guard for a virtual machine:
+From the host, you can disable Windows Defender Credential Guard for a virtual machine:
 
 ``` PowerShell
 Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
diff --git a/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
index bce8580dfb..40cba9bb70 100644
--- a/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -1,46 +1,46 @@
 ---
-title: Credential Guard protection limits (Windows 10)
-description: Scenarios not protected by Credential Guard in Windows 10.
+title: Windows Defender Credential Guard protection limits (Windows 10)
+description: Scenarios not protected by Windows Defender Credential Guard in Windows 10.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Credential Guard protection limits
+# Windows Defender Credential Guard protection limits
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
-in the Deep Dive into Credential Guard video series.
+Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+in the Deep Dive into Windows Defender Credential Guard video series.
 
-Some ways to store credentials are not protected by Credential Guard, including:
+Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
 
 -   Software that manages credentials outside of Windows feature protection
 -   Local accounts and Microsoft Accounts
--   Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+-   Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
 -   Key loggers
 -   Physical attacks
 -   Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
 -   Third-party security packages
 -   Digest and CredSSP credentials
-    -   When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
+    -   When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
 -   Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- 
--  When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+-  When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
 -  Windows logon cached password verifiers (commonly called "cached credentials")
 do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
 
 ## Additional mitigations
 
-Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
+Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
 
 ### Restricting domain users to specific domain-joined devices
 
-Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
 
 #### Kerberos armoring
 
@@ -50,11 +50,11 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
 
 -   Users need to be in domains that are running Windows Server 2012 R2 or higher
 -   All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
--   All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
+-   All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
 
 #### Protecting domain-joined device secrets
 
-Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
 
 Domain-joined device certificate authentication has the following requirements:
 -   Devices' accounts are in Windows Server 2012 domain functional level or higher.
@@ -84,7 +84,7 @@ For example, let's say you wanted to use the High Assurance policy only on these
 8.  Under **Issuance Policies**, click**High Assurance**.
 9.  On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
 
-Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created.
 
 **Enrolling devices in a certificate**
 
@@ -636,6 +636,6 @@ write-host $tmp -Foreground Red
 
 ## See also
 
-**Deep Dive into Credential Guard: Related videos**
+**Deep Dive into Windows Defender Credential Guard: Related videos**
 
-[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
+[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/access-protection/credential-guard/credential-guard-protection-limits.md b/windows/access-protection/credential-guard/credential-guard-protection-limits.md
index f159c931c3..4d45a1518b 100644
--- a/windows/access-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/access-protection/credential-guard/credential-guard-protection-limits.md
@@ -1,41 +1,41 @@
 ---
-title: Credential Guard protection limits (Windows 10)
-description: Scenarios not protected by Credential Guard in Windows 10.
+title: Windows Defender Credential Guard protection limits (Windows 10)
+description: Scenarios not protected by Windows Defender Credential Guard in Windows 10.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Credential Guard protection limits
+# Windows Defender Credential Guard protection limits
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
-in the Deep Dive into Credential Guard video series.
+Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+in the Deep Dive into Windows Defender Credential Guard video series.
 
-Some ways to store credentials are not protected by Credential Guard, including:
+Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
 
 -   Software that manages credentials outside of Windows feature protection
 -   Local accounts and Microsoft Accounts
--   Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+-   Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
 -   Key loggers
 -   Physical attacks
 -   Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
 -   Third-party security packages
 -   Digest and CredSSP credentials
-    -   When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
+    -   When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
 -   Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- 
--  When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+-  When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
 -  Windows logon cached password verifiers (commonly called "cached credentials")
 do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
 
 ## See also
 
-**Deep Dive into Credential Guard: Related videos**
+**Deep Dive into Windows Defender Credential Guard: Related videos**
 
-[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
+[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/access-protection/credential-guard/credential-guard-requirements.md b/windows/access-protection/credential-guard/credential-guard-requirements.md
index 0053b52421..0f1c09fb9e 100644
--- a/windows/access-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/access-protection/credential-guard/credential-guard-requirements.md
@@ -1,31 +1,30 @@
 ---
-title: Credential Guard Requirements (Windows 10)
-description: Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options. 
+title: Windows Defender Credential Guard Requirements (Windows 10)
+description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options. 
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Credential Guard: Requirements
+# Windows Defender Credential Guard: Requirements
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
 Prefer video? See 
-[Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
-in the Deep Dive into Credential Guard video series.
-
-For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
+[Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
+in the Deep Dive into Windows Defender Credential Guard video series.
 
+For Windows Defender Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
 
 
 ## Hardware and software requirements
 
-To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Guard uses:
+To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
 - Support for Virtualization-based security (required)
 - Secure boot (required)
 - TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
@@ -36,16 +35,29 @@ The Virtualization-based security requires:
 - CPU virtualization extensions plus extended page tables
 - Windows hypervisor
 
+### Windows Defender Credential Guard deployment in virtual machines 
+
+Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
+
+#### Requirements for running Windows Defender Credential Guard in Hyper-V virtual machines
+
+- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
+- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10. 
+
+For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/)
+
+For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard#hardware-and-software-requirements)
+
 ## Application requirements
 
-When Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. 
+When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. 
 
 >[!WARNING] 
-> Enabling Credential Guard on domain controllers is not supported. <br>
-> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. 
+> Enabling Windows Defender Credential Guard on domain controllers is not supported. <br>
+> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes. 
 
 >[!NOTE]
-> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). 
+> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). 
 
 Applications will break if they require:
 - Kerberos DES encryption support
@@ -58,42 +70,43 @@ Applications will prompt and expose credentials to risk if they require:
 - Credential delegation
 - MS-CHAPv2
 
-Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. 
+Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process. 
 
-See this video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+See this video: [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
 
 
 ## Security considerations
 
-All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. 
+All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard. 
 Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.  
 The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
 
 > [!NOTE]  
 > Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers. <br>
-> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
+> If you are an OEM, see [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
 
 ### Baseline protections
 
-|Baseline Protections                   | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
+|Baseline Protections | Description | Security benefits                                     
+|---|---|---|
 | Hardware: **64-bit CPU**              | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
-| Hardware: **Trusted Platform Module (TPM)**  |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br>[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)<br><br>**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
-| Firmware: **Secure firmware update process**      | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
+| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **Trusted Platform Module (TPM)**  |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br>[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
+| Firmware: **Secure firmware update process**  | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only Windows Defender Device Guard is supported in this configuration.</p></blockquote> |Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
 
 > [!IMPORTANT]
-> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide.
+> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
+
 
 ### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
 
 | Protections for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
-| Hardware: **IOMMU** (input/output memory management unit)  |  **Requirement**: VT-D or AMD Vi IOMMU<br><br>**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-| Firmware: **Secure MOR, revision 2 implementation**  |  **Requirement**: Secure MOR, revision 2 implementation<br><br>**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
+| Hardware: **IOMMU** (input/output memory management unit)  |  **Requirement**: VT-D or AMD Vi IOMMU **Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | **Security benefits**:<br>• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Secure MOR, revision 2 implementation**  |  **Requirement**: Secure MOR, revision 2 implementation | **Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
 
 <br>
 
@@ -102,11 +115,11 @@ The following tables describe baseline protections, plus protections for improve
 > [!IMPORTANT]
 > The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
 
-| Protections for Improved Security         | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).<br><br>**Security benefits**:<br>• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI provides additional security assurance for correctly secured silicon and platform. |
-| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>• Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+| Protections for Improved Security  | Description  |Security Benefits |
+|---|---|---|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx). | Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software. | • Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
 
 <br>
 
@@ -114,7 +127,7 @@ The following tables describe baseline protections, plus protections for improve
 
 The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. 
 
-| Protection for Improved Security          | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;- PE sections need to be page-aligned in memory (not required for in non-volatile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code<br><br>**Security benefits**:<br>• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.     |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
+| Protections for Improved Security  | Description  | Security Benefits
+|---|---|---|
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;- PE sections need to be page-aligned in memory (not required for in non-volatile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.     |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. |  • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
diff --git a/windows/access-protection/credential-guard/credential-guard-scripts.md b/windows/access-protection/credential-guard/credential-guard-scripts.md
index 991d0010f2..cd00d7fe8c 100644
--- a/windows/access-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/access-protection/credential-guard/credential-guard-scripts.md
@@ -1,15 +1,15 @@
 ---
-title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10)
-description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10.
+title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows 10)
+description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Windows Defender Credential Guard on Windows 10.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Credential Guard: Scripts for Certificate Authority Issuance Policies
+# Windows Defender Credential Guard: Scripts for Certificate Authority Issuance Policies
 
 
 Here is a list of scripts mentioned in this topic.
diff --git a/windows/access-protection/credential-guard/credential-guard.md b/windows/access-protection/credential-guard/credential-guard.md
index 82c1f6b546..56949895b5 100644
--- a/windows/access-protection/credential-guard/credential-guard.md
+++ b/windows/access-protection/credential-guard/credential-guard.md
@@ -1,30 +1,30 @@
 ---
-title: Protect derived domain credentials with Credential Guard (Windows 10)
-description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+title: Protect derived domain credentials with Windows Defender Credential Guard (Windows 10)
+description: Introduced in Windows 10 Enterprise, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Protect derived domain credentials with Credential Guard
+# Protect derived domain credentials with Windows Defender Credential Guard
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474)  in the Deep Dive into Credential Guard video series.
+Prefer video? See [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474) in the Deep Dive into Windows Defender Credential Guard video series.
 
-Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
+Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
 
-By enabling Credential Guard, the following features and solutions are provided:
+By enabling Windows Defender Credential Guard, the following features and solutions are provided:
 
 -   **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
 -   **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
--   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
+-   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows Defender Device Guard and other security strategies and architectures.
 
  
 ## Related topics
@@ -33,7 +33,7 @@ By enabling Credential Guard, the following features and solutions are provided:
 - [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
 - [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
 - [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
-- [Protecting network passwords with Windows 10 Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
+- [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
 - [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
 - [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
 - [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)
@@ -42,6 +42,6 @@ By enabling Credential Guard, the following features and solutions are provided:
 
 ## See also
 
-**Deep Dive into Credential Guard: Related videos**
+**Deep Dive into Windows Defender Credential Guard: Related videos**
 
-[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
\ No newline at end of file
+[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
\ No newline at end of file
diff --git a/windows/access-protection/credential-guard/images/credguard-gp.png b/windows/access-protection/credential-guard/images/credguard-gp.png
index 8c91b114df..827121f0fc 100644
Binary files a/windows/access-protection/credential-guard/images/credguard-gp.png and b/windows/access-protection/credential-guard/images/credguard-gp.png differ
diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md
index c5c53ac5e6..1af667a83a 100644
--- a/windows/access-protection/enterprise-certificate-pinning.md
+++ b/windows/access-protection/enterprise-certificate-pinning.md
@@ -9,7 +9,7 @@ ms.prod: w10
 ms.technology: windows
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Enterprise Certificate Pinning
diff --git a/windows/access-protection/hello-for-business/hello-and-password-changes.md b/windows/access-protection/hello-for-business/hello-and-password-changes.md
index 0a5b5a6d31..5e984f955e 100644
--- a/windows/access-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/access-protection/hello-for-business/hello-and-password-changes.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 # Windows Hello and password changes
diff --git a/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
index c458afafc8..7fbfa154b0 100644
--- a/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md
new file mode 100644
index 0000000000..d9f542ffd7
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -0,0 +1,513 @@
+---
+title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business)
+description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update.  The on-prem certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
+
+The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
+
+If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
+
+If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update.  If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment.  If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment.
+
+Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. 
+
+A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
+
+Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers.  Ensure the update listed below is applied to each server before continuing.    
+
+##  Update Windows Server 2016
+
+Sign-in the federation server with _local admin_ equivalent credentials.
+1.	Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
+2.	Ensure the latest server updates to the federation server includes [KB4022723](https://support.microsoft.com/en-us/help/4022723).  
+
+>[!IMPORTANT]
+>The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers.
+
+## Enroll for a TLS Server Authentication Certificate
+
+Windows Hello for Business on-prem deployments require a federation server for device registration, key registration, and authentication certificate enrollment.  Typically, a federation service is an edge facing role.  However, the federation services and instance used with the on-prem deployment of Windows Hello for Business does not need Internet connectivity.  
+
+The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority.  The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
+* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
+* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com)
+
+You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**.  The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com.
+
+You can; however, issue one certificate for all hosts in the farm.  If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request.  All names should include the FQDN of each host in the farm and the federation service name.  
+
+It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. 
+
+Be sure to enroll or import the certificate into the AD FS server’s computer certificate store.  Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
+
+### Internal Server Authentication Certificate Enrollment
+
+Sign-in the federation server with domain admin equivalent credentials.
+1. Start the Local Computer **Certificate Manager** (certlm.msc).
+2. Expand the **Personal** node in the navigation pane.
+3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
+4. Click **Next** on the **Before You Begin** page.
+5. Click **Next** on the **Select Certificate Enrollment Policy** page.
+6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
+7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link   
+    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png)
+8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**.  Under **Alternative name**, select **DNS** from the **Type** list.  Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role.  Click **Add**. Click **OK** when finished.
+9. Click **Enroll**.
+
+A server authentication certificate should appear in the computer’s Personal certificate store.
+
+## Deploy the Active Directory Federation Service Role
+
+The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments.
+* Device registration
+* Key registration 
+* Certificate registration authority (certificate trust deployments)
+
+>[!IMPORTANT]
+> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm.  Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. 
+
+Windows Hello for Business depends on proper device registration.  For on-premises deployments, Windows Server 2016 AD FS handles device registration.
+
+Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
+1.	Start **Server Manager**.  Click **Local Server** in the navigation pane.
+2.	Click **Manage** and then click **Add Roles and Features**.
+3.	Click **Next** on the **Before you begin** page.
+4.	On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
+5.	On the **Select destination server** page, choose **Select a server from the server pool**.  Select the federation server from the **Server Pool** list.  Click **Next**.
+6.	On the **Select server roles** page, select **Active Directory Federation Services**.  Click **Next**.
+7.	Click **Next** on the **Select features** page.
+8.	Click **Next** on the **Active Directory Federation Service** page.
+9.	Click **Install** to start the role installation.
+
+## Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm the AD FS farm uses the correct database configuration.
+* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load.
+* Confirm **all** AD FS servers in the farm have the latest updates.
+* Confirm all AD FS servers have a valid server authentication certificate    
+    * The subject of the certificate is the common name (FQDN) of the host or a wildcard name.
+    * The alternate name of the certificate contains a wildcard or the FQDN of the federation service
+
+## Device Registration Service Account Prerequisite
+
+The service account used for the device registration server depends on the domain controllers in the environment.  
+
+>[!NOTE]
+>Follow the procedures below based on the domain controllers deployed in your environment.  If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+
+### Windows Server 2012 or later Domain Controllers
+
+Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them.  Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management.  This means the password is long, complex, and changes periodically.  The best part of GMSA is all this happens automatically.  AD FS supports GMSA and should be configured using them for additional defense in depth security.
+
+GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers.  Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA.  Before you can create a GSMA, you must first create a root key for the service.  You can skip this if your environment already uses GSMA.
+
+#### Create KDS Root Key
+
+Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
+1. Start an elevated Windows PowerShell console.
+2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`
+
+### Windows Server 2008 or 2008 R2 Domain Controllers
+
+Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts.  Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis.
+
+#### Create an AD FS Service Account
+
+Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
+1.	Open **Active Directory Users and Computers**.
+2.	Right-click the **Users** container, Click **New**. Click **User**.
+3.	In the **New Object – User** window, type **adfssvc** in the **Full name** text box.  Type **adfssvc** in the **User logon name** text box.  Click **Next**.
+4.	Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox.
+5.	Click **Next** and then click **Finish**.
+
+## Configure the Active Directory Federation Service Role
+
+>[!IMPORTANT]
+>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+
+### Windows Server 2012 or later Domain Controllers
+
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**.  If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section.
+
+Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
+1. Start **Server Manager**.
+2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.   
+   ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
+
+3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
+4. Click **Next** on the **Connect to Active Directory Domain Services** page.
+5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list.  The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
+6. Select the federation service name from the **Federation Service Name** list.
+7. Type the Federation Service Display Name in the text box.  This is the name users see when signing in.  Click **Next**.
+8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**.  In the **Account Name** box, type **adfssvc**.
+9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
+10. On the **Review Options** page, click **Next**.
+11.	On the **Pre-requisite Checks** page, click **Configure**.
+12.	When the process completes, click **Close**.
+
+### Windows Server 2008 or 2008 R2 Domain Controllers
+
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**.  If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section.
+
+Sign-in the federation server with _Domain Admin_ equivalent credentials.  These instructions assume you are configuring the first federation server in a federation server farm.
+1. Start **Server Manager**.
+2. Click the notification flag in the upper right corner.  Click **Configure federation services on this server**.   
+    ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
+
+3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
+4. Click **Next** on the **Connect to Active Directory Domain Services** page.
+5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net.
+6. Select the federation service name from the **Federation Service Name** list.
+7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
+8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**.   
+    * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**.
+9.	On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
+10.	On the **Review Options** page, click **Next**.
+11.	On the **Pre-requisite Checks** page, click **Configure**.
+12.	When the process completes, click **Close**.
+13.	Do not restart the AD FS server. You will do this later.
+
+
+### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group
+
+The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration.  The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
+
+Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
+1. Open **Active Directory Users and Computers**.
+2. Click the **Users** container in the navigation pane.
+3. Right-click **KeyCredential Admins** in the details pane and click **Properties**.
+4. Click the **Members** tab and click **Add…**
+5. In the **Enter the object names to select** text box, type **adfssvc**.  Click **OK**.
+6. Click **OK** to return to **Active Directory Users and Computers**.
+7. Right-click **Windows Hello for Business Users** group
+8. Click the **Members** tab and click **Add…**
+9. In the **Enter the object names to select** text box, type **adfssvc**.  Click **OK**.
+10.	Click **OK** to return to **Active Directory Users and Computers**.
+11.	Change to server hosting the AD FS role and restart it.
+
+### Configure Permissions for Key Registration
+
+Key Registration stores the Windows Hello for Business public key in Active Directory.  In on-prem deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory.
+
+The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. 
+
+Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
+1. Open **Active Directory Users and Computers**.
+2. Right-click your domain name from the navigation pane and click **Properties**.
+3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu).
+4. Click **Advanced**. Click **Add**. Click **Select a principal**.
+5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**.  Click **OK**.
+6. In the **Applies to** list box, select **Descendant User objects**.
+7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**.
+8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**.
+9. Click **OK** three times to complete the task. 
+
+## Configure the Device Registration Service
+
+Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
+1. Open the **AD FS management** console.
+2. In the navigation pane, expand **Service**. Click **Device Registration**.
+3. In the details pane, click **Configure Device Registration**.
+4. In the **Configure Device Registration** dialog, click **OK**.
+
+## Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm you followed the correct procedures based on the domain controllers used in your deployment   
+    * Windows Server 2012 or Windows Server 2012 R2
+    * Windows Server 2008 or Windows Server 2008 R2
+* Confirm you have the correct service account based on your domain controller version.
+* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs.
+* Confirm you used a certificate with the correct names as the server authentication certificate
+    * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
+        * Certificate serial number
+        * Certificate thumbprint
+        * Common name of the certificate
+        * Subject alternate name of the certificate
+        * Name of the physical host server
+        * The issued date
+        * The expiration date
+        * Issuing CA Vendor (if a third-party certificate) 
+* Confirm you granted the AD FS service allow read and write permissions to the ms-DSKeyCredentialLink Active Directory attribute.
+* Confirm you enabled the Device Registration service.
+
+## Prepare and Deploy AD FS Registration Authority
+
+A registration authority is a trusted authority that validates certificate request.  Once it validates the request, it presents the request to the certificate authority for issuance.  The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user.  The Windows Hello for Business on-prem certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority.
+
+### Configure Registration Authority template
+
+The certificate registration authority enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The certificate authority only issues a certificate for that template if the registration authority signs the certificate request.
+
+The registration authority template you configure depends on the AD FS service configuration, which depends on the domain controllers the environment uses for authentication.
+
+>[!IMPORTANT]
+>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+
+#### Windows 2012 or later domain controllers
+
+Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+1. Open the **Certificate Authority Management** console.
+2. Right-click **Certificate Templates** and click **Manage**.
+3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.
+6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.   
+    **Note:** The preceding step is very important.  Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate.  You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
+
+7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.
+8. On the **Security** tab, click **Add**. 
+9. Click **Object Types**.  Select the **Service Accounts** check box and click **OK**. 
+10.	Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
+11.	Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 
+12.	Close the console.
+
+#### Windows 2008 or 2008R2 domain controllers
+
+Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+1. Open the **Certificate Authority** management console.
+2. Right-click **Certificate Templates** and click **Manage**.
+3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.
+6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected.  Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
+7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.
+8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**.
+9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 
+10.	Close the console.
+
+### Configure the Windows Hello for Business Authentication Certificate template
+
+During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user.  This task configures the Windows Hello for Business authentication certificate template.  You use the name of the certificate template when configuring.
+
+Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
+1. Open the **Certificate Authority** management console.
+2. Right-click **Certificate Templates** and click **Manage**.
+3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+5. On the **General** tab, type **WHFB Authentication** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.   
+    **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment.
+6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  
+7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box.  Type **1** in the text box.   
+    * Select **Application policy** from the **Policy type required in signature**.	Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
+9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
+10.	On the **Request Handling** tab, select the **Renew with same key** check box.
+11.	On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
+12.	Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 
+13.	If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template.
+14.	Click on the **Apply** to save changes and close the console.
+
+#### Mark the template as the Windows Hello Sign-in template 
+
+Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials.
+1. Open an elevated command prompt.
+2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
+
+>[!NOTE]
+>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
+
+### Publish Enrollment Agent and Windows Hello For Business Authentication templates to the Certificate Authority
+
+Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
+1. Open the **Certificate Authority** management console.
+2. Expand the parent node from the navigation pane.
+3. Click **Certificate Templates** in the navigation pane.
+4. Right-click the **Certificate Templates** node.  Click **New**, and click **Certificate Template to issue**.
+5. In the **Enable Certificates Templates** window, select the **WHFB Enrollment Agent** template you created in the previous steps.  Click **OK** to publish the selected certificate templates to the certificate authority.
+6. Publish the **WHFB Authentication** certificate template using step 5. 
+7. Close the console.
+
+### Configure the Registration Authority
+
+Sign-in the AD FS server with Domain Admin equivalent credentials. 
+
+1.	Open a **Windows PowerShell** prompt.
+2.	Type the following command   
+  
+    ```PowerShell
+    Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
+    ```
+
+
+The `Set-AdfsCertificateAuthority` cmdlet may show the following warning:
+>WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured.  These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured.
+
+This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates.  Windows 10, version 1703 clients check this configuration during prerequisite checks.  If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in.
+
+>[!NOTE]
+> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates.  It’s important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
+
+### Enrollment Agent Certificate Enrollment
+
+Active Directory Federation Server used for Windows Hello for Business certificate enrollment perform their own certificate lifecycle management.  Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
+
+Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful.  If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate.  You can view the AD FS event logs to determine the status of the enrollment agent certificate.
+
+## Additional Federation Servers
+
+Organizations should deploy more than one federation server in their federation farm for high-availability.  You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more.  This largely depends on the number of devices and users using the services provided by the AD FS farm. 
+
+### Server Authentication Certificate
+
+Each server you add to the AD FS farm must have a proper server authentication certificate.  Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate.  As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
+
+### Install Additional Servers
+
+Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. 
+
+## Load Balance AD FS Federation Servers
+
+Many environments load balance using hardware devices.  Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm.  Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
+
+### Install Network Load Balancing Feature on AD FS Servers
+
+Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
+1. Start **Server Manager**.  Click **Local Server** in the navigation pane.
+2. Click **Manage** and then click **Add Roles and Features**.
+3. Click **Next** On the **Before you begin** page.
+4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
+5. On the **Select destination server** page, chosoe **Select a server from the server pool**.  Select the federation server from the **Server Pool** list.  Click **Next**.
+6. On the **Select server roles** page, click **Next**.
+7. Select **Network Load Balancing** on the **Select features** page.
+8. Click **Install** to start the feature installation   
+    ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png)
+
+### Configure Network Load Balancing for AD FS
+
+Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster.  Once you have created the cluster, then you can add new nodes to that cluster.
+
+Sign-in a node of the federation farm with _Admin_ equivalent credentials.
+1. Open **Network Load Balancing Manager** from **Administrative Tools**.   
+    ![NLB Manager user interface](images/hello-nlb-manager.png)
+2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
+3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.   
+    ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png)
+4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
+5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
+6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.   
+    ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png)
+7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.   
+    ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png)
+8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
+9. In Port Rules, click Edit to modify the default port rules to use port 443.   
+    ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png)
+
+### Additional AD FS Servers
+
+1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
+2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.   
+    ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png)
+
+## Configure DNS for Device Registration
+
+Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials.  You’ll need the Federation service name to complete this task.  You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
+1. Open the **DNS Management** console.
+2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
+3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
+4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
+5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. 
+6. Close the DNS Management console 
+
+## Configure the Intranet Zone to include the federation service
+
+The Windows Hello provisioning presents web pages from the federation service.  Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication.  Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. 
+
+### Create an Intranet Zone Group Policy
+
+Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Right-click **Group Policy object** and select **New**
+4. Type **Intranet Zone Settings** in the name box and click **OK**.
+5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**.
+6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**.
+8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**.
+9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**.  Click OK twice, then close the Group Policy Management Editor.
+
+### Deploy the Intranet Zone Group Policy object
+
+1.	Start the **Group Policy Management Console** (gpmc.msc)
+2.	In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…**
+3.	In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
+
+## Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm you configured the correct enrollment agent certificate template based on the type of AD FS service account.
+* Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template.
+* Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. 
+* Confirm you properly configured the Windows Hello for Business authentication certificate template—to include:   
+    * Issuance requirements of an authorized signature from a certificate request agent.
+    * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe
+    * The Windows Hello for Business Users group, or equivalent has the allow enroll and allow auto enroll permissions
+* Confirm all certificate templates were properly published to the appropriate issuing certificate authorities.
+* Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template.
+* Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet.
+* Confirm you restarted the AD FS service.
+* Confirm you properly configured load-balancing (hardware or software).
+* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address
+* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server.
+
+## Validating your work
+
+You need to verify the AD FS service has properly enrolled for an enrollment agent certificate template.  You can verify this is a variety ways, depending on if your service account is a normal user account or if the service account is a group managed service account.
+
+### Event Logs
+
+Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate.  First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished.  Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log.  In this event log, look for event ID 1006, which indicates a new certificate was installed.  Details of the event log should show
+
+* The account name under which the certificate was enrolled.
+* The action, which should read enroll.
+* The thumbprint of the certificate
+* The certificate template used to issue the certificate.
+
+### Normal Service Account
+
+When using a normal service account, use the Microsoft Management Console (mmc.exe) and load the Certificate Manager snap-in for the service account and verify.
+
+### Group Managed Service Account
+
+You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts.  Use the event log information to confirm the AD FS service account enrolled a certificate.  Use certutil.exe to view the details of the certificate now shown in the event log.
+
+Group managed service accounts use user profiles to store user information, which included enrolled certificates.  On the AD FS server, use a command prompt and navigate to `%systemdrive%\users\<adfsGMSA_name>\appdata\roaming\Microsoft\systemcertificates\my\certificates` .
+
+Each file in this folder represents a certificate in the service account’s Personal store (You may need to use DIR /A to view the files in the folder).  Match the thumbprint of the certificate from the event log to one of the files in this folder.  That file is the certificate.  Use the `Certutil -q <certificateThumbprintFileName>` to view the basic information about the certificate.
+
+For detailed information about the certificate, use `Certutil -q -v <certificateThumbprintFileName>` .
+
+
+## Follow the Windows Hello for Business on premises certificate trust deployment guide
+1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*)
+4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
new file mode 100644
index 0000000000..0692e099e7
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
@@ -0,0 +1,543 @@
+---
+title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business)
+description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Configure or Deploy Multifactor Authentication Services
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model  Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter.  
+
+>[!TIP]
+>Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further.
+
+## Prerequisites
+
+The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet.
+
+### Primary MFA Server
+
+The Azure MFA server uses a primary and secondary replication model for its configuration database.  The primary Azure MFA server hosts the writeable partition of the configuration database.  All secondary Azure MFA servers hosts read-only partitions of the configuration database.  All production environment should deploy a minimum of two MFA Servers.  
+
+For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**.  All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server.
+
+The primary MFA server is also responsible for synchronizing from Active Directory.  Therefore, the primary MFA server should be domain joined and fully patched. 
+
+#### Enroll for Server Authentication
+
+The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate. 
+
+Sign-in the primary MFA server with _domain admin_ equivalent credentials.
+1.	Start the Local Computer **Certificate Manager** (certlm.msc).
+2.	Expand the **Personal** node in the navigation pane.
+3.	Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
+4.	Click **Next** on the **Before You Begin** page.
+5.	Click **Next** on the **Select Certificate Enrollment Policy** page.
+6.	On the **Request Certificates** page, Select the **Internal Web Server** check box.
+7.	Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
+8.	Under **Subject name**, select **Common Name** from the **Type** list.  Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com).    Click **Add**. Click **OK** when finished.
+9.	Click **Enroll**.
+
+A server authentication certificate should appear in the computer’s Personal certificate store.
+
+#### Install the Web Server Role
+
+The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK.  The MFA Web Services SDK uses the Web Server role.
+
+To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use.
+
+The following services are required:
+* Common Parameters > Default Document.
+* Common Parameters > Directory Browsing.
+* Common Parameters > HTTP Errors.
+* Common Parameters > Static Content.
+* Health and Diagnostics > HTTP Logging.
+* Performance > Static Content Compression.
+* Security > Request Filtering.
+* Security > Basic Authentication.
+* Management Tools > IIS Management Console.
+* Management Tools > IIS 6 Management Compatibility.
+* Application Development > ASP.NET 4.5. 
+
+#### Update the Server
+
+Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work.  These procedures install additional components that may need to be updated.
+
+#### Configure the IIS Server’s Certificate
+
+The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate.
+
+Sign in the primary MFA server with _administrator_ equivalent credentials.
+1.	From **Administrators**, Start the **Internet Information Services (IIS) Manager** console
+2.	In the navigation pane, expand the node with the same name as the local computer.  Expand **Settings** and select **Default Web Site**.
+3.	In the **Actions** pane, click **Bindings**.
+4.	In the **Site Bindings** dialog, Click **Add**.
+5.	In the **Add Site Binding** dialog, select **https** from the **Type** list.  In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer.
+6.	Click **OK**.  Click **Close**.  From the **Action** pane, click **Restart**.
+
+#### Configure the Web Service’s Security
+
+The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services.  Access control to the information is gated by membership to the Phonefactor Admins security group.  You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server.  Also, all User Portal server administrators must be included in the Phonefactor Admins security group.
+
+Sign in the domain controller with _domain administrator_ equivalent credentials.
+
+##### Create Phonefactor Admin group 
+
+1. Open **Active Directory Users and Computers**
+2. In the navigation pane, expand the node with the organization’s Active Directory domain name.  Right-click the **Users** container, select **New**, and select **Group**.
+3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name. 
+4. Click **OK**.
+
+##### Add accounts to the Phonefactor Admins group
+
+1. Open **Active Directory Users and Computers**.
+2. In the navigation pane, expand the node with the organization’s Active Directory domain name.  Select Users. In the content pane. Right-click the **Phonefactors Admin** security group and select **Properties**.
+3. Click the **Members** tab.
+4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**.   
+    * The computer account for the primary MFA Server
+    * Group or user account that will manage the User Portal server.
+
+
+#### Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+
+* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names.   
+    * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:   
+        * Certificate serial number
+        * Certificate thumbprint
+        * Common name of the certificate
+        * Subject alternate name of the certificate
+        * Name of the physical host server
+        * The issued date
+        * The expiration date
+        * Issuing CA Vendor (if a third-party certificate)
+
+* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc).
+* Confirm the host has all the available updates from Windows Update.
+* Confirm you bound the server authentication certificate to the IIS web site.
+* Confirm you created the Phonefactor Admins group.
+* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal.
+
+### User Portal Server
+
+The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts.  A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on.  Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication.  If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal.  User Portal Administrators may be set up and granted permission to add new users and update existing users.
+
+The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers.  While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design.
+
+#### Enroll for Server Authentication
+
+Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate.  You can use an enterprise certificate to protect communication to internal User Portal servers.
+
+For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority.  Contact a public certificate authority for more information on requesting a certificate for public use.  Follow the procedures below to enroll an enterprise certificate on your User Portal server.
+
+Sign-in the User Portal server with _domain admin_ equivalent credentials.
+1.	Start the Local Computer **Certificate Manager** (certlm.msc).
+2.	Expand the **Personal** node in the navigation pane.
+3.	Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
+4.	Click **Next** on the **Before You Begin** page.
+5.	Click **Next** on the **Select Certificate Enrollment Policy** page.
+6.	On the **Request Certificates** page, Select the **Internal Web Server** check box.
+7.	Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
+8.	Under **Subject name**, select **Common Name** from the **Type** list.  Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com).
+9.	Under **Alternative name**, select **DNS** from the **Type** list.  Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com).
+10.	Click **Add**. Click **OK** when finished.
+11.	Click **Enroll**.
+
+A server authentication certificate should appear in the computer’s Personal certificate store.
+
+#### Install the Web Server Role
+
+To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section.  However, do **not** install Security > Basic Authentication.  The user portal server does not requiret this. 
+
+#### Update the Server
+
+Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work.  These procedures install additional components that may need to be updated.
+
+#### Configure the IIS Server’s Certificate
+
+To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section.
+
+#### Create WebServices SDK user account
+
+The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server.  You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.   
+
+1. Open **Active Directory Users and Computers**.
+2. In the navigation pane, expand the node with the organization’s Active Directory domain name.  Right-click the **Users** container, select **New**, and select **User**.
+3. In the **New Object – User** dialog box, type **PFWSDK_<computerName>** in the **First name** and **User logon name** boxes, where *<computer>* is the name of the primary MFA server running the Web Services SDK.  Click **Next**.
+4. Type a strong password and confirm it in the respective boxes.  Clear **User must change password at next logon**. Click **Next**.  Click **Finish** to create the user account.
+
+#### Add the MFA SDK user account to the Phonefactor Admins group
+
+Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK.
+
+1. Open **Active Directory Users and Computers**.
+2. In the navigation pane, expand the node with the organization’s Active Directory domain name.  Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties.
+3. Click the Members tab.
+4. Click **Add**. Click **Object Types..** Type the PFWSDK_<computerName> user name in the **Enter the object names to select** box and then click **OK**.   
+    * The computer account for the primary MFA Server
+    * The Webservices SDK user account
+    *  Group or user account that will manage the User Portal server.
+
+
+#### Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+
+* Confirm the hosts of the user portal are properly configure for load balancing and high-availability.
+* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names.   
+    * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:   
+        * Certificate serial number
+        * Certificate thumbprint
+        * Common name of the certificate
+        * Subject alternate name of the certificate
+        * Name of the physical host server
+        * The issued date
+        * The expiration date
+        * Issuing CA Vendor (if a third-party certificate)
+
+* Confirm the Web Server Role was properly configured on all servers.
+* Confirm all the hosts have the latest updates from Windows Update.
+* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group. 
+
+## Installing Primary Azure MFA Server
+
+When you install Azure Multi-Factor Authentication Server, you have the following options: 
+1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS
+2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments)
+
+See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options.
+
+Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server.
+
+>[!IMPORTANT]
+>Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article.
+
+### Configuring Company Settings
+
+You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory.
+
+Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
+1. Start the **Multi-Factor Server** application
+2. Click **Company Settings**.
+3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list.
+4. In **User defaults**, select **Phone Call** or **Text Message**   
+    **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
+5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge.
+6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal.  A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration.
+7. Select **Fail Authentication** from the **When user is disabled** list.  Users should provision their account through the user portal.
+8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists.
+9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal.
+10. Configure the minimum length for the PIN.
+11.	Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN.
+12.	Select the **Expiration days** check box if you want to expire PINs.  If enabled, provide a numeric value representing the number of days the PIN is valid.
+13.	Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10. 
+
+![Azure MFA Server Company settings configured](images/hello-mfa-company-settings.png)
+
+### Configuring Email Settings and Content
+
+If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step.  In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email.  The email gives your users time to visit the user portal and configure the multi-factor settings. 
+
+Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication.
+
+With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on.  
+
+The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. 
+
+If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
+
+#### Settings
+
+By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box.
+
+#### Content
+
+On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you.
+
+##### Edit the Content Settings
+
+The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab.
+
+Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
+1. Open the **Multi-Factor Authentication Server** console.
+2. Click **Email** from the list of icons and click the **Email Content** tab.
+3. Select an email template from the list of templates.  Click **Edit**.
+4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email.   
+    ![Edit email dialog within content settings](images/hello-mfa-content-edit-email.png)
+
+5. Optionally, customize other options in the email template.
+6. When finished editing the template, Click **Apply**.
+7. Click **Next** to move to the next email in the list.  Repeat steps 4 and 6 to edit the changes.
+8. Click **Close** when you are done editing the email templates.
+
+### Configuring Directory Integration Settings and Synchronization
+
+Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory.  The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process.  It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory.
+
+It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business.  Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user.  This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business.  To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names).
+
+#### MultiFactorAuthAdSync Service
+
+The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory.  It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run.  If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server.
+
+The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes.  This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right.  By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers.  The MultiFactorAuthAdSync service is configured to run as LocalSystem by default.  Therefore, it is simplest to run the service on a domain controller.  The service can run as an account with lesser permissions if you configure it to always perform a full synchronization.  This is less efficient, but requires less account privileges.
+
+#### Settings
+
+Configuring the directory synchronization between Active Directory and the Azure MFA server is easy. 
+
+Sign in the primary MFA server with _MFA administrator_ equivalent credentials. 
+1. Open the **Multi-Factor Authentication Server** console.
+2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
+3. Click the **Synchronization** tab.
+4. Select **Use Active Directory**.
+5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust.  When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance.
+
+#### Synchronization
+
+The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database.  Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers.
+
+You can configure synchronization items based on different criteria and filters.  For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group.  This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate).  This significantly simplifies deployment and troubleshooting.
+
+See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details.
+
+##### To add a synchronization item
+
+Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
+1. Open the **Multi-Factor Authentication Server** console.
+2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
+3. Select the **Synchronization** tab.
+4. On the **Synchronization** tab, click **Add**.   
+    ![Azure MFA Server - add synchronization item screen](images/hello-mfa-sync-item.png)
+
+5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list.
+6. Select the group you are using for replication from the list of groups
+7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups.
+8. Select **Add new users and Update existing users**.
+9. Select **Disable/Remove users no longer a member** and select **Disable** from the list.
+10.	Select the attributes appropriate for your environment for **Import phone** and **Backup**.
+11.	Select **Enabled** and select **Only New Users with Phone Number** from the list.
+12.	Select **Send email** and select **New and Updated Users**.
+
+##### Configure synchronization item defaults
+
+1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab.
+2. Select the default second factor authentication method.  For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN).
+
+##### Configure synchronization language defaults
+
+1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab.
+2. Select the appropriate default language for these groups of users synchronized by these synchronization item.
+3. If creating a new synchronization item, click **Add** to save the item.  If editing an existing synchronization item, click **Apply** and then click **Close**.
+
+>[!TIP]
+>For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint).
+
+### Installing the MFA Web Services SDK
+
+The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application.  The Web Service SDK uses the Multi-Factor Authentication Server as the data store.
+
+Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information.  The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed.
+
+Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK.
+
+## Install Secondary MFA Servers
+
+Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers.  Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit.
+
+Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated.
+
+Sign in the secondary MFA server with _domain administrator_ equivalent credentials.
+1.	Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership.  You have the option to join an existing group or create a new group.  When joining an existing group, the server becomes a secondary server in the existing replication group.  When creating a new group, the server becomes the primary server of that replication group.  Click **OK**.   
+    **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group.  Please contact support for assistance with deactivating and reactivating a server.
+2.	The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**.
+3.	In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**.
+4.	On the **Active Directory** page, the wizard determines what configuration is needed to enable replication.  Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group.  Click **Next** to add the computer account to the group.
+5.	On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership.
+
+### Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm you downloaded the latest Azure MFA Server from the Azure Portal.
+* Confirm the server has Internet connectivity.
+* Confirm you installed and activated the Azure MFA Server.
+* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc).
+* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server.     
+    * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups.
+
+* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account.
+* Confirm you installed the Web Service SDK on the primary MFA server.
+* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server. 
+
+
+## Installing the User Portal Server
+
+You previously configured the User Portal settings on the primary MFA server.  The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings.  This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users.  
+
+### Copying the User Portal Installation file
+
+Sign in the primary MFA server with _local administrator_ equivalent credentials.
+1. Open Windows Explorer.
+2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder.
+3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server.
+
+### Configure Virtual Directory name
+
+Sign in the User Portal server with _local administrator_ equivalent credentials.
+1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step.
+2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**.  Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension.  **Save the file with a .exe extension and install the runtime**.
+3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time.
+4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**.
+5. Click **Close**.
+
+### Edit MFA User Portal config file
+
+Sign in the User Portal server with _local administrator_ equivalent credentials.
+1.	Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file.
+2.	Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
+3.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
+4.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
+5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
+
+### Create a DNS entry for the User Portal web site
+
+Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials.
+1.	Open the **DNS Management** console.
+2.	In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
+3.	In the navigation pane, select the node that has the name of your internal Active Directory domain name.
+4.	In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
+5.	In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**. 
+6.	Close the **DNS Management** console.
+
+### Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm the user portal application is properly installed on all user portal hosts
+* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true.
+* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME
+* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account.
+* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server.
+* Confirm you saved the changes to the web.config file.
+
+### Validating your work
+
+Windows Hello for Business is a distributed system, which on the surface appears complex and difficult.  The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
+
+Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers.  The URL should be protected by a server authentication certificate and should prompt you for authentication.  Authenticate to the web site using the username and password provided in the web.config file.  Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal.
+
+### Configuring the User Portal
+
+The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts.  A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on.  Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication.  If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal.
+User Portal Administrators may be set up and granted permission to add new users and update existing users.
+
+#### Settings
+
+Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
+1. Open the Multi-Factor Authentication Server console.
+2. From the Multi-Factor Authentication Server window, click the User Portal icon.   
+    ![Azure MFA Server - User Portal settings](images/hello-mfa-user-portal-settings.png)
+
+3. On the Settings tab, type the URL your users use to access the User Portal.  The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. 
+The Multi-Factor Authentication Server uses this information when sending emails to users.
+4. Select Allow users to log in and Allow user enrollment check boxes.
+5. Select Allow users to select method.  Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service).  Select Automatically trigger user’s default method.
+6. Select Allow users to select language.
+7. Select Use security questions for fallback and select 4 from the Questions to answer list.
+
+>[!TIP]
+>For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal).
+
+#### Administrators
+
+The User Portal Settings tab allows the administrator to install and configure the User Portal.
+1. Open the Multi-Factor Authentication Server console.
+2. From the Multi-Factor Authentication Server window, click the User Portal icon.
+3. On the Administrators tab, Click Add
+4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal.  Use the default permissions. 
+5. Click Add.
+
+>[!TIP]
+>For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**.
+
+#### Security Questions
+
+[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements.  The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal.  The order of the questions is important since the first four items in the list will be used as defaults for the four security questions.
+
+#### Trusted IPs
+
+The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry.
+
+## Configure the AD FS Server to use the MFA for multifactor authentication
+
+You need to configure the AD FS server to use the MFA server.  You do this by Installing the MFA Adapter on the primary AD FS Server.
+
+### Install the MFA AD FS Adapter
+
+Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server.
+
+### Edit the MFA AD FS Adapter config file on all ADFS Servers
+
+Sign in the primary AD FS server with _local administrator_ equivalent credentials.
+1.	Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file.
+2.	Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
+3.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
+4.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
+5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
+
+### Edit the AD FS Adapter Windows PowerShell cmdlet
+
+Sign in the primary AD FS server with _local administrator_ equivalent credentials.
+
+Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath <path>` to the end of the `Register-AdfsAuthenticationProvider` command where **<path>** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
+
+### Run the AD FS Adapter PowerShell cmdlet
+
+Sign in the primary AD FS server with local administrator equivalent credentials.
+
+Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter.  The adapter is registered as **WindowsAzureMultiFactorAuthentication**.  
+
+>[!NOTE]
+>You must restart the AD FS service for the registration to take effect.
+
+### Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm the user portal application is properly installed on all user portal hosts
+* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true.
+* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME
+* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account.
+* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server.
+* Confirm you saved the changes to the web.config file.
+* Confirm you restarted the AD FS Service after completing the configuration.
+
+## Test AD FS with the Multifactor Authentication connector
+
+Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment.  The AD FS and Azure Multi-Factor Authentication server configurations are complete.
+
+1.	In the **Multi-Factor Authentication** server, on the left, click **Users**.
+2.	In the list of users, select a user that is enabled and has a valid phone number to which you have access.
+3.	Click **Test**.
+4.	In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory.
+
+The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user.  The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user.  Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog. 
+
+
+## Follow the Windows Hello for Business on premises certificate trust deployment guide
+1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/access-protection/hello-for-business/hello-cert-trust-policy-settings.md
new file mode 100644
index 0000000000..80a40bc364
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -0,0 +1,155 @@
+---
+title: Configure Windows Hello for Business Policy settings (Windows Hello for Business)
+description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Configure Windows Hello for Business Policy settings
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
+Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
+
+Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
+
+On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
+* Enable Windows Hello for Business
+* Use certificate for on-premises authentication
+* Enable automatic enrollment of certificates
+
+## Enable Windows Hello for Business Group Policy
+
+The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business.  A user will only attempt enrollment if this policy setting is configured to enabled.  
+
+You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment.  Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
+
+## Use certificate for on-premises authentication
+
+The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model.  You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests.
+
+You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate.  Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence.
+
+## Enable automatic enrollment of certificates
+
+Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. 
+
+The process requires no user interaction provided the user signs-in using Windows Hello for Business.  The certificate is renewed in the background before it expires.
+
+## Create the Windows Hello for Business Group Policy object
+
+The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed.
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Right-click **Group Policy object** and select **New**.
+4. Type *Enable Windows Hello for Business* in the name box and click **OK**.
+5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
+6. In the navigation pane, expand **Policies** under **User Configuration**.
+7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
+8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
+9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**.  Close the **Group Policy Management Editor**.
+
+## Configure Automatic Certificate Enrollment
+
+1. Start the **Group Policy Management Console** (gpmc.msc).
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
+4. In the navigation pane, expand **Policies** under **User Configuration**.
+5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**.
+6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
+7. Select **Enabled** from the **Configuration Model** list.
+8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
+9. Select the **Update certificates that use certificate templates** check box.
+10.	Click **OK**. Close the **Group Policy Management Editor**.
+
+## Configure Security in the Windows Hello for Business Group Policy object
+
+The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases.
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Double-click the **Enable Windows Hello for Business** Group Policy object.
+4. In the **Security Filtering** section of the content pane, click **Add**.  Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**.
+5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**.
+6. In the **Group or User names** list, select **Authenticated Users**.  In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.
+
+## Deploy the Windows Hello for Business Group Policy object
+
+The application of the Windows Hello for Business Group Policy object uses security group filtering.  This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business.
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…**
+3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
+
+Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. 
+
+## Other Related Group Policy settings
+
+### Windows Hello for Business
+
+There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment.  These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. 
+
+### Use a hardware security device
+
+The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials.  When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential.
+
+You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials.  Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
+
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+
+### Use biometrics
+
+Windows Hello for Business provides a great user experience when combined with the use of biometrics.  Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security.  
+
+The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers.  The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint.
+
+### PIN Complexity
+
+PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. 
+
+Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use.  If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations.  The policy settings included are:
+* Require digits
+* Require lowercase letters
+* Maximum PIN length
+* Minimum PIN length
+* Expiration
+* History
+* Require special characters
+* Require uppercase letters
+
+In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Administrative Templates\System\PIN Complexity under both the Computer and User Configuration nodes of the Group Policy editor.
+
+## Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions)
+* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
+* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting.
+* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User)
+* Confirm you configured the proper security settings for the Group Policy object   
+    * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions)
+    * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy
+
+* Linked the Group Policy object to the correct locations within Active Directory
+* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users
+
+
+## Add users to the Windows Hello for Business Users group
+
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group.   Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
+
+
+## Follow the Windows Hello for Business on premises certificate trust deployment guide
+1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. Configure Windows Hello for Business Policy settings (*You are here*)
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/access-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
new file mode 100644
index 0000000000..8226e365c6
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -0,0 +1,79 @@
+---
+title: Validate Active Directory prerequisites (Windows Hello for Business)
+description: How to Validate Active Directory prerequisites for Windows Hello for Business
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Validate Active Directory prerequisites
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.  The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest.  The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step.
+
+Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\<drive>:\support\adprep** on the Windows Server 2016 DVD or ISO.  Before running adprep.exe, you must identify the domain controller hosting the schema master role.
+
+## Discovering schema role
+
+To locate the schema master role holder, open and command prompt and type:
+
+```Netdom query fsmo | findstr -i “schema”```
+
+![Netdom example output](images\hello-cmd-netdom.png)
+
+The command should return the name of the domain controller where you need to adprep.exe.  Update the schema locally on the domain controller hosting the Schema master role.
+
+## Updating the Schema
+
+Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords).  During enrollment, the public key is registered in an attribute on the user object in Active Directory.  The schema update adds this new attribute to Active Directory.  
+
+Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials.
+
+1.	Open an elevated command prompt.
+2.	Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
+3.	To update the schema, type ```adprep /forestprep```.
+4.	Read the Adprep Warning.  Type the letter **C** and press **Enter** to update the schema.
+5.	Close the Command Prompt and sign-out.
+
+## Create the KeyCredential Admins Security Global Group
+
+The Windows Server 2016 Active Directory Federation Services (AD FS) role registers the public key on the user object during provisioning.  You assign write and read permission to this group to the Active Directory attribute to ensure the AD FS service can add and remove keys are part of its normal workflow.
+
+Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.
+
+1.	Open **Active Directory Users and Computers**.
+2.	Click **View** and click **Advance Features**.
+3.	Expand the domain node from the navigation pane.
+4.	Right-click the **Users** container. Click **New**. Click **Group**.
+5.	Type **KeyCredential Admins** in the **Group Name** text box.
+6.	Click **OK**.
+
+## Create the Windows Hello for Business Users Security Global Group
+
+The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases.  You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group.  This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate.
+
+Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.
+
+1.	Open **Active Directory Users and Computers**.
+2.	Click **View** and click **Advanced Features**.
+3.	Expand the domain node from the navigation pane.
+4.	Right-click the **Users** container. Click **New**. Click **Group**.
+5.	Type **Windows Hello for Business Users** in the **Group Name** text box.
+6.	Click **OK**.
+
+
+## Follow the Windows Hello for Business on premises certificate trust deployment guide
+1. Validate Active Directory prerequisites (*You are here*)
+2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
new file mode 100644
index 0000000000..90ae7fc730
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -0,0 +1,49 @@
+---
+title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business)
+description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Validate and Deploy Multifactor Authentication Services (MFA)
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential.  Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication.  On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory.
+
+Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected.
+* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks.
+* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios.
+* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards.
+* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.
+
+## On-Premises Azure MFA Server
+
+On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory.
+
+### Infrastructure
+
+A lab or proof-of-concept environment does not need high-availability or scalability.  However, a production environment needs both of these.  Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing.
+
+Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. 
+
+>[!IMPORTANT]
+>Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use instllation instructions provided in the article.
+
+Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md).
+
+## Follow the Windows Hello for Business on premises certificate trust deployment guide
+1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md
new file mode 100644
index 0000000000..c3054a28fa
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -0,0 +1,197 @@
+---
+title: Validate Public Key Infrastructure (Windows Hello for Business)
+description: How to Validate Public Key Infrastructure for Windows Hello for Business
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Validate and Configure Public Key Infrastructure
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model.  All trust models depend on the domain controllers having a certificate.  The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.  The certificate trust model extends certificate issuance to client computers.  During Windows Hello for Business provisioning, the user receives a sign-in certificate.
+
+## Deploy an enterprise certificate authority
+
+This guide assumes most enterprise have an existing public key infrastructure.  Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
+
+### Lab-based public key infrastructure
+
+The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.
+
+Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed.
+
+>[!NOTE]
+>Never install a certificate authority on a domain controller in a production environment.
+
+1. Open an elevated Windows PowerShell prompt.
+2. Use the following command to install the Active Directory Certificate Services role.   
+    ```PowerShell
+    Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools
+    ```
+
+3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration.   
+    ```PowerShell
+    Install-AdcsCertificateAuthority
+    ```   
+    
+## Configure a Production Public Key Infrastructure
+
+If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure.   Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
+
+### Configure Domain Controller Certificates
+
+Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate.  Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain.  This provides clients a root of trust external to the domain—namely the enterprise certificate authority.
+
+Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory.  However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC.  Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.
+
+By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template.  However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs.  To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
+
+Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+1.	Open the **Certificate Authority** management console.
+2.	Right-click **Certificate Templates** and click **Manage**.
+3.	In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
+4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+5.	On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name.  Adjust the validity and renewal period to meet your enterprise’s needs.   
+    **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
+6.	On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected.  Select **None** from the **Subject name format** list.  Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
+7.	On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  Click **OK**. 
+8.	Close the console.
+
+### Superseding the existing Domain Controller certificate
+
+Many domain controllers may have an existing domain controller certificate.  The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template.  Later releases provided a new certificate template—the domain controller authentication certificate template.  These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension.  
+
+The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later).   The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates.  You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. 
+
+Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
+1.	Open the **Certificate Authority** management console.
+2.	Right-click **Certificate Templates** and click **Manage**.
+3.	In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
+4.	Click the **Superseded Templates** tab. Click **Add**.
+5.	From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**.  Click **Add**.
+6.	From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
+7.	From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. 
+8.	Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
+9.	Click **OK** and close the **Certificate Templates** console.
+
+The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list.  However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+
+### Configure an Internal Web Server Certificate template
+
+Windows 10 clients use the https protocol when communicating with Active Directory Federation Services.  To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm.  On-premises deployments can use a server authentication certificate issued by their enterprise PKI.  You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. 
+
+Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+1.	Open the **Certificate Authority** management console.
+2.	Right-click **Certificate Templates** and click **Manage**.
+3.	In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**.
+4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+5.	On the **General** tab, type **Internal Web Server** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.   
+    **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
+6.	On the **Request Handling** tab, select **Allow private key to be exported**.
+7.	On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
+8.	On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box.  Click **OK**. Select the **Allow** check box next to the **Enroll** permission.
+9.	On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  Click **OK**. 
+10.	Close the console.
+
+### Unpublish Superseded Certificate Templates
+
+The certificate authority only issues certificates based on published certificate templates.  For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue.  This includes the pre-published certificate template from the role installation and any superseded certificate templates.
+
+The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates.  Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
+
+Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
+1.	Open the **Certificate Authority** management console.
+2.	Expand the parent node from the navigation pane.
+3.	Click **Certificate Templates** in the navigation pane.
+4.	Right-click the **Domain Controller** certificate template in the content pane and select **Delete**.  Click **Yes** on the **Disable certificate templates** window.
+5.	Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
+
+### Publish Certificate Templates to the Certificate Authority
+
+The certificate authority may only issue certificates for certificate templates that are published to that certificate authority.  If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
+
+Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+1.	Open the **Certificate Authority** management console.
+2.	Expand the parent node from the navigation pane.
+3.	Click **Certificate Templates** in the navigation pane.
+4.	Right-click the **Certificate Templates** node.  Click **New**, and click **Certificate Template** to issue.
+5.	In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps.  Click **OK** to publish the selected certificate templates to the certificate authority.
+6.	If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list.   
+    * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.   
+
+7.	Close the console.
+
+### Configure Domain Controllers for Automatic Certificate Enrollment
+
+Domain controllers automatically request a certificate from the domain controller certificate template.  However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates.  To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU.
+
+1.	Start the **Group Policy Management Console** (gpmc.msc)
+2.	Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3.	Right-click **Group Policy object** and select **New**
+4.	Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**.
+5.	Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**.
+6.	In the navigation pane, expand **Policies** under **Computer Configuration**.
+7.	Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
+8.	In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
+9.	Select **Enabled** from the **Configuration Model** list.
+10.	Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
+11.	Select the **Update certificates that use certificate templates** check box.
+12.	Click **OK**. Close the **Group Policy Management Editor**.
+
+### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object
+
+Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials.
+1.	Start the **Group Policy Management Console** (gpmc.msc)
+2.	In the navigation pane, expand the domain and expand the node that has your Active Directory domain name.  Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**
+3.	In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
+
+### Validating your work
+
+Windows Hello for Business is a distributed system, which on the surface appears complex and difficult.  The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
+
+You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates.  You need to check each domain controller that autoenrollment for the computer occurred.
+
+#### Use the Event Logs
+
+Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers.  Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows.
+
+Look for an event indicating a new certificate enrollment (autoenrollment).  The details of the event include the certificate template on which the certificate was issued.  The name of the certificate template used to issue the certificate should match the certificate template name included in the event.  The certificate thumbprint and EKUs for the certificate are also included in the event.  The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. 
+
+Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event.  The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
+
+
+#### Certificate Manager
+
+You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs.  Use **certlm.msc** to view certificate in the local computers certificate stores.  Expand the **Personal** store and view the certificates enrolled for the computer.  Archived certificates do not appear in Certificate Manager.
+
+#### Certutil.exe
+
+You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer.  From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates.
+
+To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. 
+
+#### Troubleshooting
+
+Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates.  You can refresh Group Policy from an elevated command prompt using `gpupdate /force`.
+
+Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt.
+
+Use the event logs to monitor certificate enrollment and archive.  Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions.
+
+
+## Follow the Windows Hello for Business on premises certificate trust deployment guide
+1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+2. Validate and Configure Public Key Infrastructure (*You are here*)
+3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
diff --git a/windows/access-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/access-protection/hello-for-business/hello-deployment-cert-trust.md
new file mode 100644
index 0000000000..3e3dd9f272
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -0,0 +1,40 @@
+---
+title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
+description: A guide to an On Premises, Certificate trust Windows Hello for Business deployment 
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# On Premises Certificate Trust Deployment
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair.  The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.  
+
+Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
+1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md
new file mode 100644
index 0000000000..c11406fb24
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md
@@ -0,0 +1,55 @@
+---
+title: Windows Hello for Business Deployment Guide
+description: A guide to Windows Hello for Business deployment 
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Windows Hello for Business Deployment Guide
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair.
+
+This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment.
+
+## Assumptions
+
+This guide assumes a baseline infrastructure exists that meets the requirements for your deployment.  For either hybrid or on-premises deployments, it is expected that you have: 
+* A well-connected, working network
+* Internet access
+   * Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
+* Proper name resolution, both internal and external names
+* Active Directory and an adequate number of domain controllers per site to support authentication
+* Active Directory Certificate Services 2012 or later
+* One or more workstation computers running Windows 10, version 1703
+
+If you are installing a role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain.  This document provides guidance to install and configure the specific roles on that server.  
+
+Do not begin your deployment until the hosting servers and infrastructure (not roles) identified in your prerequisite worksheet are configured and properly working.
+
+## Deployment and trust models
+
+Windows Hello for Business has two deployment models: Hybrid and On-premises. Each deployment model has two trust models: Key trust or certificate trust.
+
+Hybrid deployments are for enterprises that use Azure Active Directory.  On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
+
+The trust model determines how you want users to authentication to the on-premises Active Directory. Remember hybrid environments use Azure Active Directory and on-premises Active Directory. The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and they have an adequate number of 2016 domain controllers in each site to support the authentication. The certificate-trust model is for enterprise that do want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. The certificate trust model is also enterprise who are not ready to deploy Windows Server 2016 domain controllers.
+
+Following are the various deployment guides included in this topic:
+* [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
+
+## Provisioning
+
+The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop.  Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
+
diff --git a/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
index ee01d1173d..20c0c5cc2a 100644
--- a/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/access-protection/hello-for-business/hello-event-300.md b/windows/access-protection/hello-for-business/hello-event-300.md
index 3d94345736..1b894d9da4 100644
--- a/windows/access-protection/hello-for-business/hello-event-300.md
+++ b/windows/access-protection/hello-for-business/hello-event-300.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/access-protection/hello-for-business/hello-how-it-works.md b/windows/access-protection/hello-for-business/hello-how-it-works.md
index 1e42ccaded..c5d6ce9420 100644
--- a/windows/access-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/access-protection/hello-for-business/hello-how-it-works.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 # How Windows Hello for Business works
diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md
index eaac2063b5..6bc13714ae 100644
--- a/windows/access-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/access-protection/hello-for-business/hello-identity-verification.md
@@ -1,6 +1,6 @@
 ---
 title: Windows Hello for Business (Windows 10)
-description: IWindows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. 
+description: Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. 
 ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
@@ -8,19 +8,14 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/07/2017
 ---
 # Windows Hello for Business
 
-**Applies to**
--   Windows 10
--   Windows 10 Mobile
-
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
-
->[!NOTE]
-> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.</br>
+Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.
 
 Windows Hello addresses the following problems with passwords:
 -   Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
@@ -28,98 +23,78 @@ Windows Hello addresses the following problems with passwords:
 -   Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
 -   Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
 
-Windows Hello lets users authenticate to:
--   a Microsoft account.
--   an Active Directory account.
--   a Microsoft Azure Active Directory (Azure AD) account.
--   Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication (in progress)
+>[!div class="mx-tdBreakAll"]
+>| | | |
+>| :---: | :---: | :---: |
+>| [![Overview Icon](images/hello_filter.png)](hello-overview.md)</br>[Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)</br>[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)</br>[Manage Windows Hello in your Organization](hello-manage-in-organization.md) |
 
-After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
+## Prerequisites 
 
-As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
+### Cloud Only Deployment
+* Windows 10, version 1511 or later
+* Microsoft Azure Account
+* Azure Active Directory
+* Azure Multifactor authentication
+* Modern Management (Intune or supported third-party MDM), *optional*
+* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
 
-## Biometric sign-in
- 
- Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
- 
-- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. 
-- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. 
+### Hybrid Deployments
+The table shows the minimum requirements for each deployment.
 
-Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. 
+| Key trust</br>Group Policy managed | Certificate trust</br>Mixed managed | Key trust</br>Modern managed | Certificate trust</br>Modern managed | 
+| --- | --- | --- | --- |
+| Windows 10, version 1511 or later| Windows 10, version 1703 or later (domain joined)</br>Windows 10, version 1511 or later (cloud joined) | Windows 10, version 1511 or later | Windows 10, version 1511 or later |
+| Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema |
+| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
+| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | 
+| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
+| N/A | Windows Server 2016 AD FS with KB4022723 update (domain joined), and</br>Windows Server 2012 or later Network Device Enrollment Service (cloud joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
+| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter |
+| Azure Account | Azure Account | Azure Account | Azure Account |
+| Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
+| Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect | 
+| Azure AD Premium, optional | Azure AD Premium, needed for device writeback | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
 
+### On-premises Deployments 
+The table shows the minimum requirements for each deployment.
 
-## The difference between Windows Hello and Windows Hello for Business
+| Key trust </br> Group Policy managed | Certificate trust </br> Group Policy managed|
+| --- | --- | 
+| Windows 10, version 1703 or later | Windows 10, version 1703 or later |
+| Windows Server 2016 Schema | Windows Server 2016 Schema|
+| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
+| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
+| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
+| N/A | Windows Server 2016 AD FS with [KB4022723 update](https://support.microsoft.com/en-us/help/4022723) |
+| AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter |
+| Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |
 
-- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, however it is not backed by asymmetric (public/private key) or certificate-based authentication. 
+## Frequently Asked Questions
 
-- Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication.
+### Do I need Windows Server 2016 domain controllers?
+There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment
 
-- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication.  Support for key-based or certificate-based authentication is on the roadmap for a future release.
+### Is Windows Hello for Business multifactor authentication?
+Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you.  Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
 
-## Benefits of Windows Hello
+### Can I use PIN and biometrics to unlock my device?
+No. Windows Hello for Business provides two-factor authentication. However, we are investigating the ability to unlock the device with multiple factors.
 
-Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
+### What is the difference between Windows Hello and Windows Hello for Business
+Windows Hello represents the biometric framework provided in Windows 10.  Windows Hello enables users to use biometrics to sign into their devices by securely storing their username and password and releasing it for authentication when the user successfully identifies themselves using biometrics.  Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
 
-You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
+### I have extended Active Directory to Azure Active Directory.  Can I use the on-prem deployment model?
+No. If your organization is federated or using online services, such as Office 365 or OneDrive, then you must use a hybrid deployment model.  On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory.
 
-In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. 
+### Does Windows Hello for Business work with third party federation servers?
+Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience.  Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
 
->[!NOTE]
->Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
+| Protocol | Description |
+| :---: | :--- |
+| [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/en-us/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
+| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |  
+| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/en-us/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (The OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
+| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider metadata that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. |
 
-![How authentication works in Windows Hello](images/authflow.png)
-
-Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
-
-Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
-
-
- 
-## How Windows Hello for Business works: key points
-
--   Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
--   Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
--   Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
--   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Windows Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
--   Private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
--   PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider.  The identity provider verifies the user's identity and authenticates the user.
--   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
--   Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
-
-For details, see [How Windows Hello for Business works](hello-how-it-works.md).
-
-## Comparing key-based and certificate-based authentication
-
-Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
-
-
-
-## Learn more
-
-[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/830/Implementing-Windows-Hello-for-Business-at-Microsoft)
-
-[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
-
-[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533)
-
-[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
-
-[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
-
-[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
-
-[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
-
-[Authenticating identities without passwords through Windows Hello for Business](https://go.microsoft.com/fwlink/p/?LinkId=616778)
-
-## Related topics
-
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
- 
+### Does Windows Hello for Business work with Mac and Linux clients?
+Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms.  However, Microsoft is open to third parties who are interested in moving these platforms away from passwords.  Interested third parties can inqury at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
diff --git a/windows/access-protection/hello-for-business/hello-manage-in-organization.md b/windows/access-protection/hello-for-business/hello-manage-in-organization.md
index 8ef71c6d85..6d8b9b37a2 100644
--- a/windows/access-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/access-protection/hello-for-business/hello-manage-in-organization.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/access-protection/hello-for-business/hello-overview.md b/windows/access-protection/hello-for-business/hello-overview.md
new file mode 100644
index 0000000000..3aa57fa4e5
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-overview.md
@@ -0,0 +1,123 @@
+---
+title: Windows Hello for Business (Windows 10)
+description: An overview of Windows Hello for Business 
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+---
+# Windows Hello for Business Overview
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
+
+>[!NOTE]
+> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+
+Windows Hello addresses the following problems with passwords:
+-   Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
+-   Server breaches can expose symmetric network credentials (passwords).
+-   Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
+-   Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
+
+Windows Hello lets users authenticate to:
+-   a Microsoft account.
+-   an Active Directory account.
+-   a Microsoft Azure Active Directory (Azure AD) account.
+-   Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication (in progress)
+
+After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
+
+As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
+
+## Biometric sign-in
+ 
+ Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
+ 
+- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. 
+- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. 
+
+Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. 
+
+
+## The difference between Windows Hello and Windows Hello for Business
+
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, however it is not backed by asymmetric (public/private key) or certificate-based authentication. 
+
+- Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication.
+
+- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication.  Support for key-based or certificate-based authentication is on the roadmap for a future release.
+
+## Benefits of Windows Hello
+
+Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
+
+You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
+
+In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. 
+
+>[!NOTE]
+>Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
+
+![How authentication works in Windows Hello](images/authflow.png)
+
+Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
+
+Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
+
+
+ 
+## How Windows Hello for Business works: key points
+
+-   Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
+-   Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
+-   Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
+-   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Windows Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
+-   Private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
+-   PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider.  The identity provider verifies the user's identity and authenticates the user.
+-   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+-   Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
+
+For details, see [How Windows Hello for Business works](hello-how-it-works.md).
+
+## Comparing key-based and certificate-based authentication
+
+Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
+
+
+
+## Learn more
+
+[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/830/Implementing-Windows-Hello-for-Business-at-Microsoft)
+
+[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
+
+[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533)
+
+[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
+
+[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
+
+[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
+
+[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
+
+[Authenticating identities without passwords through Windows Hello for Business](https://go.microsoft.com/fwlink/p/?LinkId=616778)
+
+## Related topics
+
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+ 
diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md
new file mode 100644
index 0000000000..104805b446
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-planning-guide.md
@@ -0,0 +1,319 @@
+---
+title: Planning a Windows Hello for Business Deployment
+description: A guide to planning a Windows Hello for Business deployment 
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+---
+# Planning a Windows Hello for Business Deployment
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+> This guide only applies to Windows 10, version 1511 or higher.
+
+Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
+  
+This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you’ll use that information to select the correct deployment guide for your needs.
+
+## Using this guide
+
+There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they’ve already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
+
+This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you’ll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier.
+
+### How to Proceed
+
+Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment.
+
+There are six major categories you need to consider for a Windows Hello for Business deployment.  Those categories are:
+*	Deployment Options
+*   Client
+*   Management
+*   Active Directory
+*   Public Key Infrastructure
+*   Cloud
+
+### Baseline Prerequisites
+
+Windows Hello for Business has a few baseline prerequisites with which you can begin.  These baseline prerequisites are provided in the worksheet. 
+
+### Deployment Options
+
+The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options.
+
+#### Deployment models
+
+There are three deployment models from which you can choose: cloud only, hybrid, and on-premises.
+
+##### Cloud only
+The cloud only deployment model is for organizations who only have cloud identities and do not access on-premises resources.  These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others.  Also, because these users do not use on-premises resources, they do not need certificates for things like VPN because everything they need is hosted in Azure.
+
+##### Hybrid
+The hybrid deployment model is for organizations that: 
+* Are federated with Azure Active Directory
+* Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
+* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
+
+##### On-premises
+The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory.
+
+
+It’s fundamentally important to understand which deployment model to use for a successful deployment.  Some of aspects of the deployment may already be decided for you based on your current infrastructure.
+
+#### Trust types
+
+A deployments trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trusts types, key trust and certificate trust.
+  
+The key trust type does not require issuing authentication certificates to end users.  Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment.
+
+The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the in-box provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers.  Users can authentication using their certificate to any Windows Server 2008 R2 or later domain controller.
+
+#### Device registration
+
+All devices included in the Windows Hello for Business deployment must go through device registration.  Device registration enables devices to authenticate to identity providers.  For cloud only and hybrid deployment, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role.
+
+#### Key registration
+
+The in-box Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user’s credentials. The private key is protected by the device’s security modules; however, the credential is a user key (not a device key).  The provisioning experience registers the user’s public key with the identity provider.  For cloud only and hybrid deployments, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
+
+#### Multifactor authentication
+
+The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that providers easy two-factor authentication.  The inbox provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
+
+Cloud only and hybrid deployments provide many choices for multifactor authentication.  On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use from the on-premises Azure Multifactor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
+>[!NOTE]
+> Azure Multi-Factor Authentication is available through a:
+>* Microsoft Enterprise Agreement
+>* Open Volume License Program
+>* Cloud Solution Providers program
+>* Bundled with
+>    * Azure Active Directory Premium
+>    * Enterprise Mobility Suite
+>    * Enterprise Cloud Suite
+>* A per-user and per-authentication consumption-based model that is billed monthly against Azure monetary commitment (Read [Multi-Factor Authentication Pricing](https://azure.microsoft.com/pricing/details/multi-factor-authentication/) for more information)
+
+#### Directory synchronization
+
+Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose.  Hybrid deployments use Azure Active Directory Connect to synchronization Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components.
+
+### Management
+
+Windows Hello for Business provides organizations with a rich set of granular policy setting with which they can use to manage their devices and users.  There are three ways in which you can manage Windows Hello for Business: Group Policy, Modern Management, and Mixed.
+
+#### Group Policy
+
+Group Policy is the easiest and most popular way to manage Windows Hello for Business on domain joined devices.  Simply create a Group Policy object with the settings you desire. Link the Group Policy object high in your Active Directory and use security group filtering to target specific sets of computers or users.  Or, link the GPO directly to the organizational units.  
+
+#### Modern management
+
+Modern management is an emerging device management paradigm that leverages the cloud for managing domain joined and non-domain joined devices.   Organizations can unify their device management into one platform and apply policy settings using a single platform
+
+### Client
+
+Windows Hello for Business is an exclusive Windows 10 feature.  As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows 10 and introduced support for new scenarios.
+
+Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update.  The client requirement may change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment.  Those components and choices may require a minimum client running Windows 10, version 1703, also known as the Creators Update.
+
+
+### Active Directory
+
+Hybrid and on-premises deployments include Active Directory as part of their infrastructure.  Most of the Active Directory requirements, such as schema, and domain and forest functional levels are predetermined.  However, your trust type choice for authentication determines the version of domain controller needed for the deployment.
+
+### Public Key Infrastructure
+
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
+
+### Cloud
+
+Some deployment combinations require an Azure account and some require Azure Active Directory for user identities.  These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional.
+
+## Planning a Deployment
+
+Planning your Windows Hello for Business deployment begins with choosing a deployment type.  Like all distributed systems, Windows Hello for Business depends on multiple components within your organization’s infrastructure.
+
+Use the remainder of this guide to help with planning your deployment.  As you make decisions, write the results of those decisions in your planning worksheet.  When finished, you’ll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment.
+
+### Deployment Model
+
+Choose the deployment model based on the resources your users access.  Use the following guidance to make your decision.
+
+If your organization does not have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet.
+
+If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hyrbid** in box **1a** on your planning worksheet.
+
+If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet.
+>[!NOTE]
+>If you’re unsure if your organization is federated, run the following Active Directory Windows PowerShell command from and elevated Windows PowerShell prompt and evaluate the results.  
+>```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com -Properties keywords```
+>* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS.  Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**.  If the object truly does not exists, then you environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
+>* If the command returns a value, compare that value with the values below.  The value indicates the deployment model you should implement
+>    * If the value begins with **azureADName:**  – write **Hybrid** in box **1a**on your planning worksheet.
+ >   * If the value begins with **enterpriseDrsName:** – write **On-Premises** in box **1a** on your planning worksheet.
+
+### Trust type
+
+Choose a trust type that is best suited for your organizations.  Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.
+
+If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**.
+
+If your organization wants to use the certificate trust type, write **certificate trust** in box **1b** on your planning worksheet.  Write **Windows Server 2008 R2 or later** in box **4d**.  In box **5c**, write **smart card logon** under the **Template Name** column and write **users** under the **Issued To** column on your planning worksheet.
+
+### Device Registration
+
+A successful Windows Hello for Business requires all devices to register with the identity provider.  The identity provider depends on the deployment model.
+
+If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1c** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **on-premises**, write **AF FS** in box **1c** on your planning worksheet.
+
+### Key Registration
+
+All users provisioning Windows Hello for Business have their public key registered with the identity provider.  The identity provider depends on the deployment model.
+
+If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1d** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **on-premises**, write **AF FS** in box **1d** on your planning worksheet.
+
+### Directory Synchronization
+
+Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair).  Some operations require writing or reading user data to or from the directory. For example, reading the user’s phone number to perform multifactor authentication during provisioning or writing the user’s public key.
+
+If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**.  User information is written directly to Azure Active Directory and there is not another directory with which the information must be synchronized.
+
+If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**.  This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication.  The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user’s credential remain on the on-premises network.
+
+### Multifactor Authentication
+
+The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication.  Passwords are weak credentials and cannot be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business.  To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multifactor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity.
+
+If box **1a** on your planning worksheet reads **cloud only**, then your only option is to use the Azure MFA cloud service.  Write **Azure MFA** in box **1f** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **hybrid**, then you have a few options, some of which depend on your directory synchronization configuration. The options from which you may choose include:
+* Directly use Azure MFA cloud service
+* Use AD FS w/Azure MFA cloud service adapter
+* Use AD FS w/Azure MFA Server adapter
+* Use AD FS w/3rd Party MFA Adapter
+
+You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service.
+  
+If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service.  Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active Directory and use the Azure MFA cloud service.  If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
+
+You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication.  If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet.
+
+Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises AD FS server that synchronizes user information with the on-premises Active Directory.  The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication.  If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet.
+
+The last option is for you to use AD FS with a third-party adapter as the second factor of authentication.  If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **on-premises**, then you have two second factor authentication options.  You must use Windows Server 2016 AD FS with your choice of the on-premises Azure MFA server or with a third-party MFA adapter. 
+
+If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
+
+### Management 
+
+Windows Hello for Business provides organizations with many policy settings and granular control on how these settings may be applied to both computers and users.  The type of policy management you can use depends on your selected deployment and trust models.
+
+If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet.  You have the option to manage non-domain joined devices.  If you choose to manage Azure Active Directory joined devices, write **modern management** in box **2b** on your planning worksheet.  Otherwise, write** N/A** in box **2b**.
+
+>[!NOTE]
+> Azure Active Directory joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
+
+If box **1a** on your planning worksheet reads **on-prem**, write **GP** in box **2a** on your planning worksheet. Write **N/A** in box **2b** on your worksheet.
+
+Managing hybrid deployments includes two categories of devices to consider for your Windows Hello for Business deployment—domain joined and non-domain joined.  All devices are registered, however, not all devices are domain joined.  You have the option of using Group Policy for domain joined devices and modern management for non-domain joined devices. Or, you can use modern management for both domain and non-domain joined devices.  
+
+If you use Group Policy to manage your domain joined devices, write **GP** in box **2a** on your planning worksheet, Write **modern management** in box **2b** if you decide to manage non-domain joined devices; otherwise, write **N/A**.  
+
+If you use modern management for both domain and non-domain joined devices, write **modern management** in box **2a** and **2b** on your planning worksheet.
+
+### Client
+
+Windows Hello for Business is a feature exclusive to Windows 10.   Some deployments and features are available using earlier versions of Windows 10.  Others need the latest versions.
+
+If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet.  Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
+>[!NOTE] 
+>Azure Active Directory joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
+
+Write **1511 or later** in box **3a** on your planning worksheet if any of the following are true. 
+* Box **2a** on your planning worksheet read **modern management**. 
+    * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
+* Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **key trust**, and box **2a** reads **GP**.
+    *Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
+
+Write **1703 or later** in box **3a** on your planning worksheet if any of the following are true.
+* Box **1a** on your planning worksheet reads **on-premises**.  
+  Write **N/A** in box **3b** on your planning worksheet.
+* Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **certificate trust**, and box **2a** reads **GP**.
+    * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
+
+### Active Directory
+
+The Active Directory portion of the planning guide should be complete.  Most of conditions are baseline prerequisites except for your domain controllers.  The domain controllers used in your deployment are decided by the chosen trust type. 
+
+Review the trust type portion of this section if box **4d** on your planning worksheet remains empty.
+
+### Public Key Infrastructure
+
+Public key infrastructure prerequisites already exist in your planning worksheet. These conditions are the minimum requirements for any hybrid or on-premises deployment.  Additional conditions may be needed based on your trust type.
+
+If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet.  Cloud only deployments do not use a public key infrastructure.
+
+If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet.
+
+The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices.
+
+If box **3a** reads **GP** and box **3b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet.  In box **5c**, write the following certificate templates names and issuances:
+
+| Certificate Template Name | Issued To |
+| --- | --- |
+| Exchange Enrollment Agent | AD FS RA | 
+| Web Server | AD FS RA | 
+| Exchange Enrollment Agent | NDES |
+| Web Server | NDES |
+| CEP Encryption | NDES |
+
+If box **3a** reads **GP** and box **3b** reads **N/A**, write **AD FA RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet.
+
+| Certificate Template Name | Issued To |
+| --- | --- |
+| Exchange Enrollment Agent | AD FS RA | 
+| Web Server | AD FS RA | 
+
+If box **3a** or **3b** reads modern management, write **NDES** in box **5b** and write the following certificate template names and issuances in box 5c on your planning worksheet.
+
+| Certificate Template Name | Issued To |
+| --- | --- |
+| Exchange Enrollment Agent | NDES |
+| Web Server | NDES |
+| CEP Encryption | NDES |
+
+### Cloud
+
+Nearly all deployments of Windows Hello for Business require an Azure account.
+
+If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Yes** in boxes **6a** and **6b** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **1f** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory.
+
+Windows Hello for Business does not require an Azure AD premium subscription.  However, some dependencies do.
+
+If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet.  You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multifactor authentication).
+
+If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet.  Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device writeback—an Azure AD Premium feature.
+
+Modern managed devices do not require an Azure AD premium subscription.  By forgoing the subscription, your users must manually enroll devices in the modern management software, such as Intune or a supported third-party MDM.
+
+If boxes **2a** or **2b** read **modern management** and you want devices to automatically enroll in your modern management software, write **Yes** in box **6c** on your planning worksheet.  Otherwise, write **No** in box **6c**.
+
+## Congratulations, You’re Done
+
+Your Windows Hello for Business planning worksheet should be complete.  This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used.  The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment.  With this worksheet, you’ll be able to identify key elements of your Windows Hello for Business deployment.
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
index eaa96377ed..c0ac1449b3 100644
--- a/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index a224eeab82..d3f89032e3 100644
--- a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -33,7 +33,7 @@ A password is transmitted to the server -- it can be intercepted in transmission
 When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
 
 >[!NOTE]
->For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-identity-verification.md#benefits-of-windows-hello).
+>For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello).
  
 ## PIN is backed by hardware
 
diff --git a/windows/access-protection/hello-for-business/images/hello-adfs-configure-2012r2.png b/windows/access-protection/hello-for-business/images/hello-adfs-configure-2012r2.png
new file mode 100644
index 0000000000..374d8f1297
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-adfs-configure-2012r2.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-cmd-netdom.png b/windows/access-protection/hello-for-business/images/hello-cmd-netdom.png
new file mode 100644
index 0000000000..7f0be5249d
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-cmd-netdom.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-internal-web-server-cert.png b/windows/access-protection/hello-for-business/images/hello-internal-web-server-cert.png
new file mode 100644
index 0000000000..cc78ba41cf
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-internal-web-server-cert.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-mfa-company-settings.png b/windows/access-protection/hello-for-business/images/hello-mfa-company-settings.png
new file mode 100644
index 0000000000..72c94fb321
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-mfa-company-settings.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-mfa-content-edit-email.png b/windows/access-protection/hello-for-business/images/hello-mfa-content-edit-email.png
new file mode 100644
index 0000000000..64f85b1f54
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-mfa-content-edit-email.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-mfa-sync-item.png b/windows/access-protection/hello-for-business/images/hello-mfa-sync-item.png
new file mode 100644
index 0000000000..6894047f98
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-mfa-sync-item.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-mfa-user-portal-settings.png b/windows/access-protection/hello-for-business/images/hello-mfa-user-portal-settings.png
new file mode 100644
index 0000000000..3167588d7b
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-mfa-user-portal-settings.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-add-ip.png b/windows/access-protection/hello-for-business/images/hello-nlb-add-ip.png
new file mode 100644
index 0000000000..49b06a8cc2
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-add-ip.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png b/windows/access-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png
new file mode 100644
index 0000000000..e74cc5f586
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png b/windows/access-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png
new file mode 100644
index 0000000000..c8d406f45f
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-cluster.png b/windows/access-protection/hello-for-business/images/hello-nlb-cluster.png
new file mode 100644
index 0000000000..3c4e29b213
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-cluster.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-connect.png b/windows/access-protection/hello-for-business/images/hello-nlb-connect.png
new file mode 100644
index 0000000000..c5aac0791e
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-connect.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-feature-install.png b/windows/access-protection/hello-for-business/images/hello-nlb-feature-install.png
new file mode 100644
index 0000000000..3ab085a804
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-feature-install.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-manager.png b/windows/access-protection/hello-for-business/images/hello-nlb-manager.png
new file mode 100644
index 0000000000..61af244a4c
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-manager.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello_filter.png b/windows/access-protection/hello-for-business/images/hello_filter.png
new file mode 100644
index 0000000000..611bbfad70
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello_filter.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello_gear.png b/windows/access-protection/hello-for-business/images/hello_gear.png
new file mode 100644
index 0000000000..b74cf682ac
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello_gear.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello_lock.png b/windows/access-protection/hello-for-business/images/hello_lock.png
new file mode 100644
index 0000000000..5643cecec0
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello_lock.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello_users.png b/windows/access-protection/hello-for-business/images/hello_users.png
new file mode 100644
index 0000000000..c6750396dd
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello_users.png differ
diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md
new file mode 100644
index 0000000000..e99fabcb82
--- /dev/null
+++ b/windows/access-protection/hello-for-business/toc.md
@@ -0,0 +1,23 @@
+# [Windows Hello for Business](hello-identity-verification.md)
+
+## [Windows Hello for Business Overview](hello-overview.md)
+## [How Windows Hello for Business works](hello-how-it-works.md)
+## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+## [Windows Hello and password changes](hello-and-password-changes.md)
+## [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+## [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+
+## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md)
+
+## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md)
+
+### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
+#### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+#### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md)
+#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
diff --git a/windows/access-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png b/windows/access-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png
new file mode 100644
index 0000000000..f7767ac5f0
Binary files /dev/null and b/windows/access-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png differ
diff --git a/windows/access-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png b/windows/access-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png
new file mode 100644
index 0000000000..56021d820e
Binary files /dev/null and b/windows/access-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png differ
diff --git a/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md b/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md
index c6d37fa5e8..233a60e8e8 100644
--- a/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md
+++ b/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Install digital certificates on Windows 10 Mobile
diff --git a/windows/access-protection/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md
index 0ae8111073..c4498dd47b 100644
--- a/windows/access-protection/remote-credential-guard.md
+++ b/windows/access-protection/remote-credential-guard.md
@@ -1,96 +1,145 @@
 ---
-title: Protect Remote Desktop credentials with Remote Credential Guard (Windows 10)
-description: Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
+title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
+description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
-#  Protect Remote Desktop credentials with Remote Credential Guard
+#  Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-Introduced in Windows 10, version 1607, Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device.
+Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. 
 
-You can use Remote Credential Guard in the following ways:
+Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.
 
-- Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device.
+> [!IMPORTANT]
+> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#helpdesk) in this article.
 
-- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.
+<a id="comparing-remote-credential-guard-with-other-remote-desktop-connection-options"></a>
 
-## Comparing Remote Credential Guard with a server protected with Credential Guard
+## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options
 
-Use the following diagrams to help understand how Remote Credential Guard works, what it helps protect against, and how it compares with using a server protected with Credential Guard. As the diagram shows, Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass the Hash, and prevents usage of a credential after disconnection.
+The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works: 
 
-![Remote Credential Guard](images/remote-credential-guard.png)
+![RDP connection to a server without Windows Defender Remote Credential Guard.png](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
 
-## Comparing Remote Credential Guard with other options for Remote Desktop connections
+<br />
 
-Use the following table to compare different security options for Remote Desktop connections.
+The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option: 
+
+![Windows Defender Remote Credential Guard](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
+
+<br />
+As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
+
+<br />
+<br />
+Use the following table to compare different Remote Desktop connection security options:
+
+<br />
+<br />
+
+|**Feature** | **Remote Desktop** | **Windows Defender Remote Credential Guard** | **Restricted Admin mode** |
+|---|---|---|---|
+| **Protection benefits**  | Credentials on the server are not protected from Pass-the-Hash attacks.  |User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server|
+| **Version support** | The remote computer can run any Windows operating system|Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**.|The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx).
+|**Helps prevent**   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; | &nbsp;&nbsp;&nbsp;&nbsp; N/A &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|<ul><li> Pass-the-Hash</li> <li>Use of a credential after disconnection </li></ul>|<ul><li> Pass-the-Hash</li> <li>Use of domain identity during connection </li></ul>|
+|**Credentials supported from the remote desktop client device**|<ul><li>**Signed on** credentials <li> **Supplied** credentials<li> **Saved** credentials </ul>|<ul><li> **Signed on** credentials only | <ul><li>**Signed on** credentials<li>**Supplied** credentials<li>**Saved** credentials</ul>
+|**Access**|**Users allowed**, that is, members of Remote Desktop Users group of remote host.|**Users allowed**, that is, members of Remote Desktop Users of remote host.|**Administrators only**, that is, only members of Administrators group of remote host.
+|**Network identity**|Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. |Remote Desktop session **connects to other resources as remote host’s identity**.|
+|**Multi-hop**|From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**.|Not allowed for user as the session is running as a local host account|
+|**Supported authentication** |Any negotiable protocol.| Kerberos only.|Any negotiable protocol|
+<br /> 
+
+For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx) 
+and [How Kerberos works](https://technet.microsoft.com/en-us/library/cc961963.aspx(d=robot))
+
+<br /> 
+
+<a id="helpdesk"></a>
+
+## Remote Desktop connections and helpdesk support scenarios
+ 
+For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects.
+
+Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf).
+
+To further harden security, we also recommend that you implement Local Administrator Password Solution (LAPS), a Group Policy client-side extension (CSE) introduced in Windows 8.1 that automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks  facilitated when customers use the same administrative local account and password combination on all their computers. You can download and install LAPS [here](https://www.microsoft.com/en-us/download/details.aspx?id=46899).
+
+For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/en-us/library/security/3062591.aspx). 
+
+
+<a id="reqs"></a>
+
+## Remote Credential Guard requirements
+
+To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements: 
+
+The Remote Desktop client device:
+
+-   Must be running at least Windows 10, version 1703 to be able to supply credentials.
+-  Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host.
+-  Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
+-  Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
+
+The Remote Desktop remote host:
+
+-  Must be running at least Windows 10, version 1607 or Windows Server 2016.
+-  Must allow Restricted Admin connections.
+-  Must allow the client’s domain user to access Remote Desktop connections.
+-  Must allow delegation of non-exportable credentials.
+
+There are no hardware requirements for Windows Defender Remote Credential Guard.
 
 > [!NOTE]
-> This table compares different options than are shown in the previous diagram.
+> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
 
-| Remote Desktop | Remote Credential Guard | Restricted Admin mode |
-|---|---|---|
-| Protection: Provides **less protection** than other modes in this table. | Protection: Provides **moderate protection**, compared to other modes in this table. | Protection: Provides **the most protection** of the modes in this table. However, it also requires you to be in the local “Administrators” group on the remote computer. |
-| Version support: The remote computer can be running **any operating system that supports credential delegation**, which was introduced in Windows Vista. | Version support: The remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | Version support: The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.<br><br>For more information about patches (software updates) related to Restricted Admin mode, see  [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
-| NA | Helps prevent:<br><br>- **Pass the Hash**<br>- Usage of a **credential after disconnection** | Prevents:<br><br>- **Pass the Hash**<br>- Usage of **domain identity during connection** |
-| Credentials supported from the remote desktop client device:<br><br>- **Signed on** credentials<br>- **Supplied** credentials<br>- **Saved** credentials | Credentials supported from the remote desktop client device:<br><br>- **Signed on** credentials only | Credentials supported from the remote desktop client device:<br><br>- **Signed on** credentials<br>- **Supplied** credentials<br>- **Saved** credentials |
-| Access: **Users allowed**, that is, members of remote desktop users group of remote host. | Access: **Users allowed**, that is, members of remote desktop users group of remote host. | Access: **Administrators only**, that is, only members in administrators group of remote host.  |
-| Network identity: Remote desktop session **connects to other resources as signed on user**. | Network identity: Remote desktop session **connects to other resources as signed on user**. | Network identity: Remote desktop session **connects to other resources as remote host’s identity**.  |
-| Multi-hop: From the remote desktop, you **can connect through Remote Desktop to another computer**. | Multi-hop: From the remote desktop, you **can connect through Remote Desktop to another computer**. | No multi-hop: From the remote desktop, you **cannot connect through Remote Desktop to another computer**. |
-| Supported authentication protocol: **Any negotiable protocol**. | Supported authentication protocol: **Kerberos only**. | Supported authentication protocol: **Any negotiable protocol**. |
+- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
+- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
+- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
 
-## Hardware and software requirements
+## Enable Windows Defender Remote Credential Guard
 
-The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard:
+You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
 
-- They must be joined to an Active Directory domain
-    - Both devices must either joined to the same domain or the Remote Desktop server must be joined to a domain with a trust relationship to the client device's domain.
-- They must use Kerberos authentication.
-- They must be running at least Windows 10, version 1607 or Windows Server 2016.
-- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.
-
-## Enable Remote Credential Guard
-
-You must enable Remote Credential Guard on the target device by using the registry.
-
-1. Open Registry Editor.
-2. Enable Remote Credential Guard:
+1. Open Registry Editor on the remote host.
+2. Enable Restricted Admin and Windows Defender Remote Credential Guard:
     - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
-    - Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Remote Credential Guard.
+    - Add a new DWORD value named **DisableRestrictedAdmin**. 
+    - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
 3. Close Registry Editor.
 
-You can add this by running the following from an elevated command prompt:
+You can add this by running the following command from an elevated command prompt:
 
 ```
 reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
 ```
 
-## Using Remote Credential Guard
+## Using Windows Defender Remote Credential Guard
 
-You can use Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection. 
+Beginning with Windows 10 version 1703, you can enable Windows Defender Remote Credential Guard on the client device either by using Group Policy or by using a parameter with the Remote Desktop Connection.
 
-### Turn on Remote Credential Guard by using Group Policy
+### Turn on Windows Defender Remote Credential Guard by using Group Policy
 
 1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
 
 2. Double-click **Restrict delegation of credentials to remote servers**.
 
-    ![Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
+    ![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
 
 3. Under **Use the following restricted mode**:
-    - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Prefer Remote Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
+    - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Windows Defender Remote Credential Guard, choose **Prefer Windows Defender Remote Credential Guard**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
 
-        > **Note:**  Neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
+        > **Note:**  Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
         
-    - If you want to require Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic.
+    - If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
     
-    - If you  want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Remote Credential Guard with other options for Remote Desktop connections](#comparing-remote-credential-guard-with-other-options-for-remote-desktop-connections), earlier in this topic.
+    - If you  want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
     
 4. Click **OK**.
 
@@ -99,29 +148,23 @@ You can use Remote Credential Guard on the client device by setting a Group Poli
 6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
 
 
-### Use Remote Credential Guard with a parameter to Remote Desktop Connection 
+### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection 
 
-If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection.
+If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
 
 ```
 mstsc.exe /remoteGuard
 ```
 
 
-## Considerations when using Remote Credential Guard
+## Considerations when using Windows Defender Remote Credential Guard
 
-- Remote Credential Guard does not include device claims. For example, if you’re trying to access a file server from the remote and the file server requires device claim, access will be denied.
+- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied.
 
-- Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory.
+- Windows Defender Remote Credential Guard cannot be used to connect to a device that is not domain-joined to Active Directory, for example, remote hosts joined to Azure Active Directory. 
 
 - Remote Desktop Credential Guard only works with the RDP protocol.
 
-- No credentials are sent to the target device, but the target device still acquires the Kerberos Service Tickets on its own.
-
-- Remote Desktop Gateway is not compatible with Remote Credential Guard.
-
-- You cannot use saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device.
-
-- Both the client and the server must be joined to the same domain or the domains must have a trust relationship.
+- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
 
 - The server and client must authenticate using Kerberos.
\ No newline at end of file
diff --git a/windows/access-protection/user-account-control/user-account-control-overview.md b/windows/access-protection/user-account-control/user-account-control-overview.md
index a273e12688..15a9a0a383 100644
--- a/windows/access-protection/user-account-control/user-account-control-overview.md
+++ b/windows/access-protection/user-account-control/user-account-control-overview.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: operate
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/access-protection/vpn/vpn-authentication.md b/windows/access-protection/vpn/vpn-authentication.md
index fa0b7a5592..89140757bf 100644
--- a/windows/access-protection/vpn/vpn-authentication.md
+++ b/windows/access-protection/vpn/vpn-authentication.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN authentication options
diff --git a/windows/access-protection/vpn/vpn-auto-trigger-profile.md b/windows/access-protection/vpn/vpn-auto-trigger-profile.md
index dbbe91c8cb..497918050e 100644
--- a/windows/access-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/access-protection/vpn/vpn-auto-trigger-profile.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN auto-triggered profile options
diff --git a/windows/access-protection/vpn/vpn-conditional-access.md b/windows/access-protection/vpn/vpn-conditional-access.md
index 073b24b8fd..1bbcc1daef 100644
--- a/windows/access-protection/vpn/vpn-conditional-access.md
+++ b/windows/access-protection/vpn/vpn-conditional-access.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN and conditional access
diff --git a/windows/access-protection/vpn/vpn-connection-type.md b/windows/access-protection/vpn/vpn-connection-type.md
index 39f933d548..2896f7a271 100644
--- a/windows/access-protection/vpn/vpn-connection-type.md
+++ b/windows/access-protection/vpn/vpn-connection-type.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN connection types
diff --git a/windows/access-protection/vpn/vpn-guide.md b/windows/access-protection/vpn/vpn-guide.md
index 138b74295c..f90e404b12 100644
--- a/windows/access-protection/vpn/vpn-guide.md
+++ b/windows/access-protection/vpn/vpn-guide.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows 10 VPN technical guide
diff --git a/windows/access-protection/vpn/vpn-name-resolution.md b/windows/access-protection/vpn/vpn-name-resolution.md
index 1a40cd73b6..b9c5a697f2 100644
--- a/windows/access-protection/vpn/vpn-name-resolution.md
+++ b/windows/access-protection/vpn/vpn-name-resolution.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN name resolution
diff --git a/windows/access-protection/vpn/vpn-profile-options.md b/windows/access-protection/vpn/vpn-profile-options.md
index 58f005e2be..2caa8c2493 100644
--- a/windows/access-protection/vpn/vpn-profile-options.md
+++ b/windows/access-protection/vpn/vpn-profile-options.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN profile options
diff --git a/windows/access-protection/vpn/vpn-routing.md b/windows/access-protection/vpn/vpn-routing.md
index 597d5cad4a..3796a83687 100644
--- a/windows/access-protection/vpn/vpn-routing.md
+++ b/windows/access-protection/vpn/vpn-routing.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN routing decisions
diff --git a/windows/access-protection/vpn/vpn-security-features.md b/windows/access-protection/vpn/vpn-security-features.md
index ed34d30dc0..cfc51f33ce 100644
--- a/windows/access-protection/vpn/vpn-security-features.md
+++ b/windows/access-protection/vpn/vpn-security-features.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN security features
diff --git a/windows/access-protection/windows-firewall/basic-firewall-policy-design.md b/windows/access-protection/windows-firewall/basic-firewall-policy-design.md
index bbc34eda26..e462485fa4 100644
--- a/windows/access-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/access-protection/windows-firewall/basic-firewall-policy-design.md
@@ -35,15 +35,15 @@ Many network administrators do not want to tackle the difficult task of determin
 
 With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
 
->**Caution:**  Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.
+>**Caution:**  Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft.
 
-By default, in new installations, Windows Firewall is turned on in Windows Server 2012, Windows 8, and later.
+By default, in new installations, Windows Defender Firewall with Advanced Security is turned on in Windows Server 2012, Windows 8, and later.
 
-If you turn off the Windows Firewall with Advanced Security service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
+If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
 
-Compatible third-party firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. 
+Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. 
 
-An organization typically uses this design as a first step toward a more comprehensive Windows Firewall with Advanced Security design that adds server isolation and domain isolation.
+An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation.
 
 After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
 
@@ -57,7 +57,7 @@ For more information about this design:
 
 -   To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
 
--   Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+-   Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
 
 -   To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
 
diff --git a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index 0c3612bef6..a5da7eb1c8 100644
--- a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -49,4 +49,4 @@ By using the Active Directory Users and Computers snap-in, Woodgrove Bank create
 
 Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
 
-**Next: **[Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+**Next: **[Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
diff --git a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md
index 6a1a244f5c..b1c4462af5 100644
--- a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -31,10 +31,10 @@ For more info about this design:
 
 -   To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
 
--   Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+-   Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
 
 -   To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md).
 
 -   For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
 
-**Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+**Next: **[Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
diff --git a/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md
index 747345df41..edc76c960f 100644
--- a/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md
+++ b/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md
@@ -29,9 +29,9 @@ In this topic:
 
 ## To convert a rule from request to require mode
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
-2.  In the navigation pane, click **Connection Security Rules**.
+2.  In the right navigation pane, click **Connection Security Rules**.
 
 3.  In the details pane, double-click the connection security rule that you want to modify.
 
diff --git a/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
index af8be53831..2688b42949 100644
--- a/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
+++ b/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
@@ -21,6 +21,6 @@ This checklist includes tasks for configuring a GPO with firewall defaults and s
 
 | Task | Reference |
 | - | - |
-| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)| 
-| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) |
-| Configure the firewall to record a log file. | [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)| 
+| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)| 
+| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) |
+| Configure the firewall to record a log file. | [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)| 
diff --git a/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md
index 207e94a1a5..bf5a3ef044 100644
--- a/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md
+++ b/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md
@@ -25,7 +25,7 @@ For most GPO deployment tasks, you must determine which devices must receive and
 
 ## About exclusion groups
 
-A Windows Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
+A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
 
 You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones.
 
@@ -33,11 +33,11 @@ You can also use a membership group for one zone as an exclusion group for anoth
 
 | Task | Reference |
 | - | - |
-| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| 
+| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| 
 | Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.<br/>If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
 | Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) |
 | Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) |
 | Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |
 | If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) |
-| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
+| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
\ No newline at end of file
diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
index 0e170e2c53..64462fc07c 100644
--- a/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
@@ -19,13 +19,13 @@ This parent checklist includes cross-reference links to important concepts about
 
 >**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
 
-The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
+The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
 
  **Checklist: Implementing a basic firewall policy design**
 
 | Task | Reference |
 | - | - |
-| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Basic Firewall Policy Design](basic-firewall-policy-design.md)<br/>[Firewall Policy Design Example](firewall-policy-design-example.md)<br/>[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| 
+| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Basic Firewall Policy Design](basic-firewall-policy-design.md)<br/>[Firewall Policy Design Example](firewall-policy-design-example.md)<br/>[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| 
 | Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
 | If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| 
 | Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| 
diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
index 6a65e70ac2..6eafbc017b 100644
--- a/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -23,7 +23,7 @@ This parent checklist includes cross-reference links to important concepts about
 
 | Task | Reference |
 | - | - |
-| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)<br/>[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)<br/>[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
+| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)<br/>[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)<br/>[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
 | Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| |
 | Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| 
 | Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| 
diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
index 1c370cc0c7..4d8969d702 100644
--- a/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
@@ -19,13 +19,13 @@ This parent checklist includes cross-reference links to important concepts about
 
 >**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
 
-The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
+The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
 
 **Checklist: Implementing a domain isolation policy design**
 
 | Task | Reference |
 | - | - |
-| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Domain Isolation Policy Design](domain-isolation-policy-design.md)<br/>[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)<br/>[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
+| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Domain Isolation Policy Design](domain-isolation-policy-design.md)<br/>[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)<br/>[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
 | Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)| 
 | Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)| 
 | Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)| 
diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
index 533859a661..f05114fabb 100644
--- a/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -25,7 +25,7 @@ This parent checklist includes cross-reference links to important concepts about
 
 | Task | Reference |
 | - | - |
-| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Server Isolation Policy Design](server-isolation-policy-design.md)<br/>[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)<br/>[Planning Server Isolation Zones](planning-server-isolation-zones.md) |
+| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Server Isolation Policy Design](server-isolation-policy-design.md)<br/>[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)<br/>[Planning Server Isolation Zones](planning-server-isolation-zones.md) |
 | Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| 
 | Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| 
 | Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| 
diff --git a/windows/access-protection/windows-firewall/configure-authentication-methods.md b/windows/access-protection/windows-firewall/configure-authentication-methods.md
index cee5bff4da..9b01cccb54 100644
--- a/windows/access-protection/windows-firewall/configure-authentication-methods.md
+++ b/windows/access-protection/windows-firewall/configure-authentication-methods.md
@@ -26,15 +26,15 @@ To complete these procedures, you must be a member of the Domain Administrators
 
 **To configure authentication methods**
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security] (open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
-2.  In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+2.  In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
 
 3.  On the **IPsec Settings** tab, click **Customize**.
 
 4.  In the **Authentication Method** section, select the type of authentication that you want to use from among the following:
 
-    1.  **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Firewall with Advanced Security or by Group Policy as the default.
+    1.  **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Defender Firewall or by Group Policy as the default.
 
     2.  **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials.
 
diff --git a/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
index 4c7f4c94ea..53f6cd4935 100644
--- a/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
+++ b/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
@@ -23,9 +23,9 @@ To complete these procedures, you must be a member of the Domain Administrators
 
 **To configure quick mode settings**
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
-2.  In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+2.  In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
 
 3.  On the **IPsec Settings** tab, click **Customize**.
 
diff --git a/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
index dd11e2d12d..ceb70e603a 100644
--- a/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
+++ b/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
@@ -23,9 +23,9 @@ To complete these procedures, you must be a member of the Domain Administrators
 
 **To configure key exchange settings**
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
-2.  In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+2.  In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
 
 3.  On the **IPsec Settings** tab, click **Customize**.
 
diff --git a/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md
index cdc97d2167..51751f2455 100644
--- a/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md
+++ b/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md
@@ -19,7 +19,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
 
 **To modify an authentication request rule to also require encryption**
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
 2.  In the navigation pane, click **Connection Security Rules**.
 
@@ -27,7 +27,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
 
 4.  On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**.
 
-5.  In the navigation pane, right-click **Windows Firewall with Advanced Security – LDAP://CN={***guid***}**, and then click **Properties**.
+5.  In the navigation pane, right-click **Windows Defender Firewall – LDAP://CN={***guid***}**, and then click **Properties**.
 
 6.  Click the **IPsec Settings** tab.
 
@@ -42,11 +42,11 @@ To complete this procedure, you must be a member of the Domain Administrators gr
 10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md).
 
     **Note**  
-    Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
+    Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Defender Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
 
-    Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell.
+    Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Defender Firewall user interface. Instead, you can create or modify the rules by using Windows PowerShell.
 
-    For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+    For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
 
 11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support.
 
diff --git a/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md
index 086d294c27..435bb8f776 100644
--- a/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -1,6 +1,6 @@
 ---
-title: Configure the Windows Firewall Log (Windows 10)
-description: Configure the Windows Firewall Log
+title: Configure the Windows Defender Firewall Log (Windows 10)
+description: Configure the Windows Defender Firewall Log
 ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,13 +10,13 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Configure the Windows Firewall Log
+# Configure the Windows Defender Firewall with Advanced Security Log
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
+To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
 
 **Administrative credentials**
 
@@ -24,13 +24,13 @@ To complete these procedures, you must be a member of the Domain Administrators
 
 In this topic:
 
-- [To configure the Windows Firewall log](#to-configure-the-windows-firewall-log)
+- [To configure the Windows Defender Firewall with Advanced Security log](#to-configure-the-windows-firewall-log)
 
-## To configure the Windows Firewall log
+## To configure the Windows Defender Firewall with Advanced Security log
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
-2.  In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
+2.  In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
 
 3.  For each network location type (Domain, Private, Public), perform the following steps.
 
@@ -40,14 +40,14 @@ In this topic:
 
     3.  The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
 
-        >**Important:**  The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file.
+        >**Important:**  The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file.
 
     4.  The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
 
     5.  No logging occurs until you set one of following two options:
 
-        -   To create a log entry when Windows Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
+        -   To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
 
-        -   To create a log entry when Windows Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
+        -   To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
 
     6.  Click **OK** twice.
diff --git a/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
index 057dd20255..4ca087720c 100644
--- a/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
+++ b/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
@@ -1,6 +1,6 @@
 ---
-title: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked (Windows 10)
-description: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
+title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows 10)
+description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Bbocked
 ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,13 +9,13 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
+# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
+To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
 
 >**Caution:**  If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail.
 
@@ -25,11 +25,11 @@ We recommend that you do not enable these settings until you have created and te
 
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 
-## To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules
+## To configure Windows Defender Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
-2.  In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
+2.  In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
 
 3.  For each network location type (Domain, Private, Public), perform the following steps.
 
diff --git a/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
index e48455f5e9..00b30c104b 100644
--- a/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
@@ -18,17 +18,16 @@ author: brianlic-msft
 In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.
 
 **Important**  
-Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list.
+Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Defender Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list.
 
  
-
 **Administrative credentials**
 
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 
 **To create a rule that exempts specified hosts from authentication**
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
 2.  In the navigation pane, click **Connection Security Rules**.
 
diff --git a/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md
index 42617dc699..2b9f10a74c 100644
--- a/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md
@@ -23,7 +23,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
 
 To create the authentication request rule
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
 2.  In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**.
 
diff --git a/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md
index 83983389da..e9d89fe583 100644
--- a/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
+To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
 
 **Administrative credentials**
 
@@ -29,7 +29,7 @@ This topic describes how to create a port rule that allows inbound ICMP network
 
 To create an inbound ICMP rule
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
 2.  In the navigation pane, click **Inbound Rules**.
 
diff --git a/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md
index 212bf9a8fc..e7d860e7e1 100644
--- a/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md
@@ -15,7 +15,8 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
+To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall 
+with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
 
 **Administrative credentials**
 
@@ -29,7 +30,7 @@ This topic describes how to create a standard port rule for a specified protocol
 
 **To create an inbound port rule**
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security] (open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
 2.  In the navigation pane, click **Inbound Rules**.
 
diff --git a/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
index 62c8e83e1b..73ff4dd9d1 100644
--- a/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
+To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
 
 >**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](create-an-inbound-port-rule.md) procedure in addition to the steps in this procedure.
 
@@ -25,7 +25,7 @@ To complete these procedures, you must be a member of the Domain Administrators
 
 To create an inbound firewall rule for a program or service
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
 2.  In the navigation pane, click **Inbound Rules**.
 
diff --git a/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md
index 9a06f49266..5118794bc7 100644
--- a/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
+By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
 
 **Administrative credentials**
 
@@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators
 
 To create an outbound port rule
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
 2.  In the navigation pane, click **Outbound Rules**.
 
@@ -37,7 +37,7 @@ To create an outbound port rule
 
 6.  On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an outbound rule, you typically configure only the remote port number.
 
-    If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it.
+    If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it.
 
     To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.
 
diff --git a/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
index 2e7e5c2e1e..a45c1e27a4 100644
--- a/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
+++ b/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
+By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
 
 **Administrative credentials**
 
@@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators
 
 To create an outbound firewall rule for a program or service
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
 2.  In the navigation pane, click **Outbound Rules**.
 
diff --git a/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
index a7cf60c649..b1042decfd 100644
--- a/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
+++ b/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
+To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
 
 **Administrative credentials**
 
@@ -35,7 +35,7 @@ In this topic:
 
 ## To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
 2.  In the navigation pane, click **Inbound Rules**.
 
diff --git a/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index df45d7bcb2..7f241a26ff 100644
--- a/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -1,6 +1,6 @@
 ---
-title: Designing a Windows Firewall with Advanced Security Strategy (Windows 10)
-description: Designing a Windows Firewall with Advanced Security Strategy
+title: Designing a Windows Defender Firewall with Advanced Security Strategy (Windows 10)
+description: Designing a Windows Defender Firewall Strategy
 ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Designing a Windows Firewall with Advanced Security Strategy
+# Designing a Windows Defender Firewall with Advanced Security Strategy
 
 **Applies to**
 -   Windows 10
diff --git a/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index 01ed85051c..9bf8f022de 100644
--- a/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -136,4 +136,4 @@ With the other information that you have gathered in this section, this informat
 
 The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan.
 
-**Next: **[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
+**Next: **[Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/access-protection/windows-firewall/documenting-the-zones.md b/windows/access-protection/windows-firewall/documenting-the-zones.md
index 9c120835e8..626dcb014a 100644
--- a/windows/access-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/access-protection/windows-firewall/documenting-the-zones.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here:
+Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here:
 
 | Host name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | Group |
 | - | - | - | - | - | - |
diff --git a/windows/access-protection/windows-firewall/domain-isolation-policy-design.md b/windows/access-protection/windows-firewall/domain-isolation-policy-design.md
index 6f15c8338f..c574eb7ab3 100644
--- a/windows/access-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/access-protection/windows-firewall/domain-isolation-policy-design.md
@@ -55,7 +55,7 @@ For more info about this design:
 
 -   To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md).
 
--   Before completing the design, gather the info described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+-   Before completing the design, gather the info described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
 
 -   To help you make the decisions required in this design, see [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md).
 
diff --git a/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md
index 59e8325dac..7533422632 100644
--- a/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md
+++ b/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
+Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
 
 **Administrative credentials**
 
@@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators
 
 To deploy predefined firewall rules that allow inbound network traffic for common network functions
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
 2.  In the navigation pane, click **Inbound Rules**.
 
diff --git a/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md
index 137de67aa2..a21658eba7 100644
--- a/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md
+++ b/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
+By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
 
 **Administrative credentials**
 
@@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators
 
 To deploy predefined firewall rules that block outbound network traffic for common network functions
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
 2.  In the navigation pane, click **Outbound Rules**.
 
diff --git a/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
index c7fe4f7637..46b8f6f71f 100644
--- a/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
+++ b/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
@@ -1,6 +1,6 @@
 ---
-title: Evaluating Windows Firewall with Advanced Security Design Examples (Windows 10)
-description: Evaluating Windows Firewall with Advanced Security Design Examples
+title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows 10)
+description: Evaluating Windows Defender Firewall with Advanced Security Design Examples
 ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,15 +9,15 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Evaluating Windows Firewall with Advanced Security Design Examples
+# Evaluating Windows Defender Firewall with Advanced Security Design Examples
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization.
+The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization.
 
--   [Firewall Policy Design Example](firewall-policy-design-example.md)
+-   [Firewall Policy with Advanced Security Design Example](firewall-policy-design-example.md)
 
 -   [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
 
diff --git a/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md
index 21100a9674..59b17edc20 100644
--- a/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md
+++ b/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md
@@ -23,8 +23,8 @@ To complete this procedure, you must be a member of the Domain Administrators gr
 
 To exempt ICMP network traffic from authentication
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
-2.  On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+2.  On the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
 
 3.  On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**.
diff --git a/windows/access-protection/windows-firewall/firewall-policy-design-example.md b/windows/access-protection/windows-firewall/firewall-policy-design-example.md
index 8dad2b48f7..c78fdb7508 100644
--- a/windows/access-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/access-protection/windows-firewall/firewall-policy-design-example.md
@@ -25,7 +25,7 @@ A key line-of-business program called WGBank consists of a client program runnin
 
 ## Design requirements
 
-The network administrators want to implement Windows Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted.
+The network administrators want to implement Windows Defender Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted.
 
 The following illustration shows the traffic protection needs for this design example.
 
@@ -82,7 +82,7 @@ The following groups were created by using the Active Directory Users and Comput
 
     The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also have security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs.
 
-    -   Client devices receive a GPO that configures Windows Firewall with Advanced Security to enforce the default Windows Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound.
+    -   Client devices receive a GPO that configures Windows Defender Firewall to enforce the default Windows Defender Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound.
 
     -   Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update are not included, because it is not needed on server devices.
 
@@ -90,15 +90,15 @@ The following groups were created by using the Active Directory Users and Comput
 
 -   **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group do not receive the default firewall GPO. Devices are added to this group if there is a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it is a member of this group.
 
--   **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO.
+-   **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO.
 
--   **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO.
+-   **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO.
 
 -   **CG\_FIREWALL\_BOUNDARY\_WGBANKFE**. This group contains the computer accounts for the servers that host Web services that can be accessed from the Internet. Members of this group receive a GPO that adds an inbound firewall rule to allow inbound HTTP and HTTPS network traffic from any address, including the Internet. Devices in this group also receive the default firewall GPO.
 
--   **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO.
+-   **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Defender Firewall with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO.
 
--   **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO.
+-   **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO.
 
 In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there.
 
diff --git a/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index 0c507fdc73..fdbe2852e0 100644
--- a/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed:
+Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed:
 
 -   **Names and number of forests**. The forest (not the domain) is the security boundary in an Active Directory implementation. You must understand the current Active Directory architecture to determine the most effective strategy for deploying your firewall and connection security rules using Group Policy. It also enables you to understand which devices can be isolated and how best to accomplish the required degree of isolation.
 
@@ -27,6 +27,6 @@ Active Directory is another important item about which you must gather informati
 
 -   **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You do not have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct devices.
 
--   **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Firewall with Advanced Security connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
+-   **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
 
 **Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md)
diff --git a/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 67dcea5661..46a4a1d89c 100644
--- a/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
+Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
 
 -   **Network segmentation**. This includes IP addressing maps, showing how your routers separate each network segment. It includes information about how the routers are configured, and what security filters they impose on network traffic flowing through them.
 
@@ -31,7 +31,7 @@ The goal is to have enough information to be able to identify an asset by its ne
 
 Do not use a complex and poorly documented network as a starting point for the design, because it can leave too many unidentified areas that are likely to cause problems during implementation.
 
-This guidance helps obtain the most relevant information for planning Windows Firewall with Advanced Security implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation.
+This guidance helps obtain the most relevant information for planning Windows Defender Firewall implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation.
 
 ## Network segmentation
 
@@ -100,7 +100,7 @@ When you examine traffic flow, look closely at how all managed and unmanaged dev
 
 -   How do servers and clients communicate with each other?
 
--   Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail.
+-   Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Defender Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail.
 
 Some of the more common applications and protocols are as follows:
 
@@ -108,6 +108,6 @@ Some of the more common applications and protocols are as follows:
 
 -   **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means opening the RPC listener port and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account.
 
--   **Other traffic**. Windows Firewall with Advanced Security can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
+-   **Other traffic**. Windows Defender Firewall can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
 
 **Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
diff --git a/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md
index 3643e51814..cdb060488d 100644
--- a/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -49,6 +49,6 @@ You can use Windows PowerShell to create a script file that can collect the syst
 
 Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all additional changes must be recorded and the updates noted in the inventory.
 
-This inventory will be critical for planning and implementing your Windows Firewall with Advanced Security design.
+This inventory will be critical for planning and implementing your Windows Defender Firewall design.
 
 **Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)
diff --git a/windows/access-protection/windows-firewall/gathering-other-relevant-information.md b/windows/access-protection/windows-firewall/gathering-other-relevant-information.md
index 85e9be98dc..f66f69ec44 100644
--- a/windows/access-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/access-protection/windows-firewall/gathering-other-relevant-information.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization.
+This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization.
 
 ## Capacity considerations
 
@@ -35,7 +35,7 @@ Because IPsec uses mathematically intensive cryptographic techniques, it can con
 
 ## Group Policy deployment groups and WMI filters
 
-You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Firewall with Advanced Security GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices.
+You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Defender Firewall GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices.
 
 ## Different Active Directory trust environments
 
diff --git a/windows/access-protection/windows-firewall/gathering-the-information-you-need.md b/windows/access-protection/windows-firewall/gathering-the-information-you-need.md
index a11fbf67c8..6955fdcf1b 100644
--- a/windows/access-protection/windows-firewall/gathering-the-information-you-need.md
+++ b/windows/access-protection/windows-firewall/gathering-the-information-you-need.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
+Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
 
 Review each of the following topics for guidance about the kinds of information that you must gather:
 
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-boundary.md b/windows/access-protection/windows-firewall/gpo-domiso-boundary.md
index 00fb043b7a..f608fcdc53 100644
--- a/windows/access-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/access-protection/windows-firewall/gpo-domiso-boundary.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
+This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
 
 This GPO supports the ability for devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. It is intended to only apply to server devices that are running at least Windows Server 2008.
 
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-encryption.md b/windows/access-protection/windows-firewall/gpo-domiso-encryption.md
index b5d3c6801e..b86a8385ac 100644
--- a/windows/access-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/access-protection/windows-firewall/gpo-domiso-encryption.md
@@ -12,7 +12,7 @@ ms.pagetype: security
 # GPO\_DOMISO\_Encryption\_WS2008
 
 
-This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
+This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
 
 This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008.
 
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-firewall.md b/windows/access-protection/windows-firewall/gpo-domiso-firewall.md
index d1349941e1..fea48288ad 100644
--- a/windows/access-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/access-protection/windows-firewall/gpo-domiso-firewall.md
@@ -15,7 +15,8 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
+This GPO is authored by using the Windows Defender Firewall 
+with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
 
 ## Firewall settings
 
@@ -53,7 +54,7 @@ This GPO provides the following rules:
 
     -   Remote Volume Management
 
-    -   Windows Firewall Remote Management
+    -   Windows Defender Firewall Remote Management
 
     -   Windows Management Instrumentation (WMI)
 
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
index a6ab80ad09..6e47c03677 100644
--- a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
+++ b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
@@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
+This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
 
 Because client devices can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile.
 
diff --git a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
index 91cd4e3890..6270e8529e 100644
--- a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
+++ b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
@@ -15,9 +15,9 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.
+This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.
 
-Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Firewall with Advanced Security piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here:
+Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Defender Firewall piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here:
 
 -   This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the device to the Public profile with a different set of rules (in the case of a server running Windows Server 2008).
 
diff --git a/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index 092982bd0a..96bd9ea465 100644
--- a/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -1,6 +1,6 @@
 ---
-title: Identifying Your Windows Firewall with Advanced Security Deployment Goals (Windows 10)
-description: Identifying Your Windows Firewall with Advanced Security Deployment Goals
+title: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals (Windows 10)
+description: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals
 ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,52 +9,21 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Identifying Your Windows Firewall with Advanced Security Deployment Goals
+# Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios.
+Correctly identifying your Windows Defender Firewall with Advanced Security deployment goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall deployment goals presented in this guide that are relevant to your scenarios.
 
-The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Firewall with Advanced Security deployment goals.
+The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall deployment goals:
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Deployment goal tasks</th>
-<th>Reference links</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Evaluate predefined Windows Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives.</p></td>
-<td><p>Predefined deployment goals:</p>
-<ul>
-<li><p>[Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)</p></li>
-<li><p>[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)</p></li>
-<li><p>[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)</p></li>
-<li><p>[Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td><p>Map one goal or a combination of the predefined deployment goals to an existing Windows Firewall with Advanced Security design.</p></td>
-<td><ul>
-<li><p>[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td><p>Based on the status of your current infrastructure, document your deployment goals for your Windows Firewall with Advanced Security design into a deployment plan.</p></td>
-<td><ul>
-<li><p>[Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)</p></li>
-<li><p>[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)</p></li>
-</ul></td>
-</tr>
-</tbody>
-</table>
+| Deployment goal tasks | Reference links |
+| --- | --- |
+| Evaluate predefined Windows Defender Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined deployment goals:  <p><ul><li>[Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)</li><p><li>[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)</li> <p><li>[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)</li> <p><li>[Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)</li></ul>
+| Map one goal or a combination of the predefined deployment goals to an existing Windows Defender Firewall with Advanced Security design. | <ul><li>[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)</li></ul>
+| Based on the status of your current infrastructure, document your deployment goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. | <ul><li>[Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)</li> <p><li>[Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)</li></ul>
+<br />
 
-**Next:**  [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
+**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
diff --git a/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index 6099d183c9..63e24245d4 100644
--- a/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -1,6 +1,6 @@
 ---
-title: Implementing Your Windows Firewall with Advanced Security Design Plan (Windows 10)
-description: Implementing Your Windows Firewall with Advanced Security Design Plan
+title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows 10)
+description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan
 ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,15 +9,15 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Implementing Your Windows Firewall with Advanced Security Design Plan
+# Implementing Your Windows Defender Firewall with Advanced Security Design Plan
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan:
+The following are important factors in the implementation of your Windows Defender Firewall design plan:
 
--   **Group Policy**. The Windows Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network.
+-   **Group Policy**. The Windows Defender Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network.
 
 -   **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the devices on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external devices to connect to devices in that zone, then you must allow that traffic through the perimeter firewall to the devices in the boundary zone.
 
@@ -27,14 +27,14 @@ The following are important factors in the implementation of your Windows Firewa
 
     -   Include the device in the authentication exemption list included in your design. You can choose this option if for any reason the device cannot participate in the isolated domain design.
 
-## How to implement your Windows Firewall with Advanced Security design using this guide
+## How to implement your Windows Defender Firewall with Advanced Security design using this guide
 
 
 The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design.
 
 ![wfas implementation](images/wfas-implement.gif)
 
-Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Firewall with Advanced Security design.
+Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design.
 
 -   [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
 
@@ -44,4 +44,4 @@ Use the following parent checklists in this section of the guide to become famil
 
 -   [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
 
-The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md).
+The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md).
diff --git a/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
index 9743da28c0..a488a96fe2 100644
--- a/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
+++ b/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
@@ -14,7 +14,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
+When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
 
 For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access.
 
@@ -54,7 +54,7 @@ To isolate Windows Store apps on your network, you need to use Group Policy to d
 
 -   Your Windows Store app is installed on the client device.
 
--   The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Firewall rules.
+-   The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Defender Firewall rules.
 
     >**Note:**  You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
 
@@ -134,9 +134,9 @@ The following table provides a complete list of the possible app capabilities.
 | **Webcam** | webcam| Provides access to the webcam's video feed.| 
 | **Other devices (represented by GUIDs)** | &lt;GUID&gt;| Includes specialized devices and Windows Portable Devices.| 
 
-You can create a Windows Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app.
+You can create a Windows Defender Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app.
 
-For example, you could create a Windows Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
+For example, you could create a Windows Defender Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
 
 **To block Internet access for any apps on your network that have the Documents Library capability**
 
@@ -148,7 +148,7 @@ For example, you could create a Windows Firewall policy to block Internet access
 
 4.  Right-click the new GPO, and then click **Edit**.
 
-5.  In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and click **Windows Firewall with Advanced Security – LDAP://…**
+5.  In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall with Advanced Security**, and click **Windows Defender Firewall – LDAP://…**
 
 6.  Right-click **Outbound Rules**, and then click **New Rule**.
 
@@ -206,7 +206,7 @@ Use the following procedure if you want to block intranet access for a specific
 
 4.  Right-click your new GPO, and then click **Edit**.
 
-5.  From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and then click **Windows Firewall with Advanced Security – LDAP://**…
+5.  From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall**, and then click **Windows Defender Firewall – LDAP://**…
 
 6.  Right-click **Outbound Rules**, and then click **New Rule**.
 
@@ -246,4 +246,4 @@ Use the following procedure if you want to block intranet access for a specific
 
 ## See also
 
--   [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)
+-   [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)
diff --git a/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
index 9712af0076..59c2f98643 100644
--- a/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
@@ -1,6 +1,6 @@
 ---
-title: Open the Group Policy Management Console to Windows Firewall (Windows 10)
-description: Open the Group Policy Management Console to Windows Firewall
+title: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security (Windows 10)
+description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
 ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,13 +9,13 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Open the Group Policy Management Console to Windows Firewall
+# Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-To open a GPO to Windows Firewall
+To open a GPO to Windows Defender Firewall:
 
 1.  Open the Active Directory Users and Computers console.
 
@@ -23,4 +23,4 @@ To open a GPO to Windows Firewall
 
 3.  Click the **Group Policy** tab, select your GPO, and then click **Edit**.
 
-4.  In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Firewall**.
+4.  In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**.
\ No newline at end of file
diff --git a/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index 8f20a73c1c..5cfa7929ea 100644
--- a/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
 ---
-title: Open Windows Firewall with Advanced Security (Windows 10)
-description: Open Windows Firewall with Advanced Security
+title: Open Windows Defender Firewall with Advanced Security (Windows 10)
+description: Open Windows Defender Firewall with Advanced Security
 ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,29 +9,29 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Open Windows Firewall with Advanced Security
+# Open Windows Defender Firewall with Advanced Security
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-This procedure shows you how to open the Windows Firewall with Advanced Security console.
+This procedure shows you how to open the Windows Defender Firewall with Advanced Security console.
 
 **Administrative credentials**
 
 To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations.
 
-## Opening Windows Firewall with Advanced Security
+## Opening Windows Defender Firewall 
 
 -   [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui)
 
 -   [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt)
 
-## To open Windows Firewall with Advanced Security using the UI
+## To open Windows Defender Firewall using the UI
 
-Click Start, type **Windows Firewall with Advanced Security**, and the press ENTER.
+Click Start, type **Windows Defender Firewall**, and the press ENTER.
 
-## To open Windows Firewall with Advanced Security from a command prompt
+## To open Windows Defender Firewall from a command prompt
 
 1.  Open a command prompt window.
 
@@ -43,4 +43,4 @@ Click Start, type **Windows Firewall with Advanced Security**, and the press ENT
 
 **Additional considerations**
 
-Although standard users can start the Windows Firewall with Advanced Security MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators.
+Although standard users can start the Windows Defender Firewall MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators.
diff --git a/windows/access-protection/windows-firewall/planning-gpo-deployment.md b/windows/access-protection/windows-firewall/planning-gpo-deployment.md
index abdff4b8ca..78351be73b 100644
--- a/windows/access-protection/windows-firewall/planning-gpo-deployment.md
+++ b/windows/access-protection/windows-firewall/planning-gpo-deployment.md
@@ -41,11 +41,11 @@ After you have deployed your GPOs and added some test devices to the groups, con
 
 -   Examine the GPOs that are both assigned to and filtered from the device. Run the **gpresult** tool at a command prompt.
 
--   Examine the rules deployed to the device. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes.
+-   Examine the rules deployed to the device. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes.
 
--   Verify that communications are authenticated. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**.
+-   Verify that communications are authenticated. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**.
 
--   Verify that communications are encrypted when the devices require it. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column.
+-   Verify that communications are encrypted when the devices require it. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column.
 
 -   Verify that your programs are unaffected. Run them and confirm that they still work as expected.
 
diff --git a/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index fdcf972088..506da52a87 100644
--- a/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -37,7 +37,7 @@ The following is a list of the firewall settings that you might consider for inc
 
 -   **Apply local connection security rules: No**. We recommend that you prevent users from creating and using their own connection security rules. Connection failures caused by conflicting rules can be difficult to troubleshoot.
 
--   **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Firewall service account has write permissions.
+-   **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Defender Firewall with Advanced Security service account has write permissions.
 
 -   **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port.
 
diff --git a/windows/access-protection/windows-firewall/planning-the-gpos.md b/windows/access-protection/windows-firewall/planning-the-gpos.md
index 84b3750822..83b84c2132 100644
--- a/windows/access-protection/windows-firewall/planning-the-gpos.md
+++ b/windows/access-protection/windows-firewall/planning-the-gpos.md
@@ -31,15 +31,17 @@ A few things to consider as you plan the GPOs:
 
     >**Caution:**  It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the devices over time, applying a require policy to one device breaks its ability to communicate with another device that has not yet received its policy. Using request mode at the beginning enables devices to continue communicating by using plaintext connections if required. After you confirm that your devices are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone.
 
--   Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles.
+-   Windows Defender Firewall* in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles.
 
-    >**Note:**  Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network.
+*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10.
+
+   > [!NOTE]
+   > Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Defender Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network.
 
 After considering these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs.
 
 ## Woodgrove Bank example GPOs
 
-
 The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which devices receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section.
 
 In this section you can find information about the following:
diff --git a/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
index 8423e4b94f..3e0692fba7 100644
--- a/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
 ---
-title: Planning to Deploy Windows Firewall with Advanced Security (Windows 10)
-description: Planning to Deploy Windows Firewall with Advanced Security
+title: Planning to Deploy Windows Defender Firewall with Advanced Security (Windows 10)
+description: Planning to Deploy Windows Defender Firewall with Advanced Security
 ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,19 +9,19 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Planning to Deploy Windows Firewall with Advanced Security
+# Planning to Deploy Windows Defender Firewall with Advanced Security
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization.
+After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization.
 
-## Reviewing your Windows Firewall with Advanced Security Design
+## Reviewing your Windows Defender Firewall with Advanced Security Design
 
-If the design team that created the Windows Firewall with Advanced Security design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points:
+If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points:
 
--   The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide:
+-   The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide:
 
     -   [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
 
@@ -45,4 +45,4 @@ If the design team that created the Windows Firewall with Advanced Security desi
 
     If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
 
-After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).
+After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Defender Firewall design. For more information, see [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).
diff --git a/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index 736612379f..28331f84ac 100644
--- a/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -1,6 +1,6 @@
 ---
-title: Planning Your Windows Firewall with Advanced Security Design (Windows 10)
-description: Planning Your Windows Firewall with Advanced Security Design
+title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows 10)
+description: Planning Your Windows Defender Firewall with Advanced Security Design
 ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Planning Your Windows Firewall with Advanced Security Design
+# Planning Your Windows Defender Firewall with Advanced Security Design
 
 **Applies to**
 -   Windows 10
@@ -76,7 +76,6 @@ When you are ready to examine the options for using certificate-based authentica
 
 ## Documenting your design
 
-
 After you finish selecting the designs that you will use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team.
 
 -   [Documenting the Zones](documenting-the-zones.md)
diff --git a/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md
index 7374820ed8..9d3f5fadb0 100644
--- a/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md
+++ b/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md
@@ -35,11 +35,11 @@ The procedures in this section appear in the checklists found earlier in this do
 
 - [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
 
-- [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
+- [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)
 
 - [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
 
-- [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+- [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
 
 - [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
 
@@ -79,14 +79,12 @@ The procedures in this section appear in the checklists found earlier in this do
 
 - [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
 
-- [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
+- [Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall.md)
 
-- [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
-
-- [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
+- [Open Windows Defender Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
 
 - [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
 
-- [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
+- [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
 
 - [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
diff --git a/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index 42da77aa05..1072f58a99 100644
--- a/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -17,7 +17,7 @@ author: brianlic-msft
 
 The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted.
 
-For devices that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it.
+For devices that share sensitive information over the network, Windows Defender Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it.
 
 The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.
 
diff --git a/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index fa2225b9c4..4d303d685c 100644
--- a/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -17,7 +17,7 @@ author: brianlic-msft
 
 Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data.
 
-Windows Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)).
+Windows Defender Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)).
 
 Restricting access to only users and devices that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations.
 
@@ -41,4 +41,4 @@ The following components are required for this deployment goal:
 
 -   **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
 
-**Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+**Next: **[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index dc34b9ac84..c7e586ce8b 100644
--- a/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -17,7 +17,7 @@ author: brianlic-msft
 
 Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required.
 
-To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method.
+To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Defender Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method.
 
 >**Note:**  Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain.
 
@@ -35,7 +35,7 @@ These goals, which correspond to [Domain Isolation Policy Design](domain-isolati
 
 -   Devices in the isolated domain can still send outbound network traffic to untrusted devices and receive the responses to the outbound requests.
 
-    For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Firewall with Advanced Security settings for outbound network traffic allow this. No additional rules are required.
+    For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Defender Firewall settings for outbound network traffic allow this. No additional rules are required.
 
 These goals also support optional zones that can be created to add customized protection to meet the needs of subsets of an organization's devices:
 
diff --git a/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
index 57d1bc1e9d..8323fcc41c 100644
--- a/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
+++ b/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
@@ -27,7 +27,7 @@ To complete these procedures, you must be a member of the Domain Administrators
 
 ## To create a firewall rule that grants access to an isolated server
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone.
+1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone.
 
 2.  In the navigation pane, right-click **Inbound Rules**, and then click **New Rule**.
 
diff --git a/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index c6875dfdd6..102a3a95f7 100644
--- a/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -133,11 +133,11 @@ Make sure that you install the required certificates on the participating comput
 
 Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
 
-**Use the Windows Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.**
+**Use the Windows Defender Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.**
 
-1.  Open the Windows Firewall with Advanced Security console.
+1.  Open the Windows Defender Firewall with Advanced Security console.
 
-2.  In the left pane of the Windows Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
+2.  In the left pane of the Windows Defender Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
 
 3.  Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile.
 
@@ -177,7 +177,7 @@ You might not find the exact answer for the issue, but you can find good hints.
 
 ## See also
 
--   [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
+-   [Windows Defender Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
 
  
 
diff --git a/windows/access-protection/windows-firewall/server-isolation-policy-design.md b/windows/access-protection/windows-firewall/server-isolation-policy-design.md
index de45c1b7c7..bd4d603e43 100644
--- a/windows/access-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/access-protection/windows-firewall/server-isolation-policy-design.md
@@ -45,7 +45,7 @@ For more info about this design:
 
 -   To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
 
--   Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+-   Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
 
 -   To help you make the decisions required in this design, see [Planning Server Isolation Zones](planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md).
 
diff --git a/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
index 618894db96..16618245b9 100644
--- a/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
+++ b/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
@@ -1,6 +1,6 @@
 ---
-title: Turn on Windows Firewall and Configure Default Behavior (Windows 10)
-description: Turn on Windows Firewall and Configure Default Behavior
+title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows 10)
+description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
 ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,23 +9,23 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Turn on Windows Firewall and Configure Default Behavior
+# Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
+To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
 
 **Administrative credentials**
 
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 
-## To enable Windows Firewall and configure the default behavior
+## To enable Windows Defender Firewall and configure the default behavior
 
-1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 
-2.  In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
+2.  In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
 
 3.  For each network location type (Domain, Private, Public), perform the following steps.
 
diff --git a/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
index 82f6355c8a..5fa4bdd089 100644
--- a/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
+++ b/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
@@ -1,6 +1,6 @@
 ---
-title: Understanding the Windows Firewall with Advanced Security Design Process (Windows 10)
-description: Understanding the Windows Firewall with Advanced Security Design Process
+title: Understanding the Windows Defender Firewall with Advanced Security Design Process (Windows 10)
+description: Understanding the Windows Defender Firewall with Advanced Security Design Process
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -8,20 +8,20 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Understanding the Windows Firewall with Advanced Security Design Process
+# Understanding the Windows Defender Firewall with Advanced Security Design Process
 
 Designing any deployment starts by performing several important tasks:
 
--   [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+-   [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
 
--   [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+-   [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
 
--   [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+-   [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
 
-After you identify your deployment goals and map them to a Windows Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
+After you identify your deployment goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
 
--   [Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+-   [Designing A Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
 
--   [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
+-   [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
 
-**Next:**  [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+**Next:** [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
diff --git a/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
index 88ab773159..21a8dd0059 100644
--- a/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
+++ b/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
@@ -27,15 +27,14 @@ In these procedures, you confirm that the rules you deployed are working correct
 
 >**Note:**  In addition to the steps shown in this procedure, you can also use network traffic capture tools such as Microsoft Network Monitor, which can be downloaded from <https://go.microsoft.com/fwlink/?linkid=94770>. Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your device. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them.
 
- 
-
 **Administrative credentials**
 
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 
-## To verify that network connections are authenticated by using the Windows Firewall with Advanced Security console
+## To verify that network connections are authenticated by using the Windows Defender Firewall with Advanced Security console
 
-1.  Open the Windows Firewall with Advanced Security console.
+1.  Open the Windows Defender Firewall with Advanced Security
+console.
 
 2.  In the navigation pane, expand **Monitoring**, and then click **Connection Security Rules**.
 
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index 498b42fa47..8825386438 100644
--- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -1,6 +1,6 @@
 ---
-title: Windows Firewall with Advanced Security Administration with Windows PowerShell (Windows 10)
-description: Windows Firewall with Advanced Security Administration with Windows PowerShell
+title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows 10)
+description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -8,29 +8,29 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Windows Firewall with Advanced Security Administration with Windows PowerShell
+# Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows.
+The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows.
 
 You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them.
 
-In future versions of Windows, Microsoft might remove the netsh functionality for Windows Firewall with Advanced Security. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Firewall with Advanced Security.
+In future versions of Windows, Microsoft might remove the netsh functionality for Windows Defender Firewall. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Defender Firewall.
 
 Windows PowerShell and netsh command references are at the following locations.
 
--   [Netsh Commands for Windows Firewall with Advanced Security](http://technet.microsoft.com/library/cc771920)
+-   [Netsh Commands for Windows Defender Firewall](http://technet.microsoft.com/library/cc771920)
 
 ## Scope
 
-This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#additional-resources) section of this guide.
+This guide does not teach you the fundamentals of Windows Defender Firewall, which can be found in [Windows Defender Firewall](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#additional-resources) section of this guide.
 
 ## Audience and user requirements
 
-This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you are familiar with Windows Firewall with Advanced Security, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
+This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you are familiar with Windows Defender Firewall, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
 
 ## In this topic
 
@@ -45,11 +45,11 @@ This guide is intended for IT pros, system administrators, and IT managers, and
 
 ## <a href="" id="bkmk-profileglobaldefaults"></a>Set profile global defaults
 
-Global defaults set the device behavior in a per-profile basis. Windows Firewall with Advanced Security supports Domain, Private, and Public profiles.
+Global defaults set the device behavior in a per-profile basis. Windows Defender Firewall supports Domain, Private, and Public profiles.
 
-### Enable Windows Firewall
+### Enable Windows Defender Firewall with Advanced Security
 
-Windows Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the  device. If you find that the rules you create are not being enforced, you may need to enable Windows Firewall. Here is how to do this on a local domain  device:
+Windows Defender Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the  device. If you find that the rules you create are not being enforced, you may need to enable Windows Defender Firewall. Here is how to do this on a local domain  device:
 
 **Netsh**
 
@@ -63,9 +63,9 @@ netsh advfirewall set allprofiles state on
 Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
 ```
 
-### Control Windows Firewall behavior
+### Control Windows Defender Firewall with Advanced Security behavior
 
-The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall with Advanced Security console.
+The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Defender Firewall with Advanced Security console.
 
 The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
 
@@ -84,31 +84,31 @@ Windows PowerShell
 Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
 ```
 
-### Disable Windows Firewall
+### Disable Windows Defender Firewall with Advanced Security
 
-Microsoft recommends that you do not disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/). 
+Microsoft recommends that you do not disable Windows Defender Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/). 
 
-Disabling Windows Firewall with Advanced Security can also cause problems, including:
+Disabling Windows Defender Firewall with Advanced Security can also cause problems, including:
 
 - Start menu can stop working
 - Modern applications can fail to install or update
 - Activation of Windows via phone fails 
-- Application or OS incompatibilities that depend on Windows Firewall
+- Application or OS incompatibilities that depend on Windows Defender Firewall
 
-Microsoft recommends disabling Windows Firewall with Advanced Security only when installing a third-party firewall, and resetting Windows Firewall back to defaults when the third-party software is disabled or removed. 
+Microsoft recommends disabling Windows Defender Firewall only when installing a third-party firewall, and resetting Windows Defender Firewall back to defaults when the third-party software is disabled or removed. 
 
-If disabling Windows Firewall with Advanced Security is required, do not disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
-Stopping the Windows Firewall service is not supported by Microsoft.
+If disabling Windows Defender Firewall is required, do not disable it by stopping the Windows Defender Firewall service (in the **Services** snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc).
+Stopping the Windows Defender Firewall service is not supported by Microsoft.
 
-Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that need to be disabled for compatibility. 
+Non-Microsoft firewall software can programmatically disable only the parts of Windows Defender Firewall that need to be disabled for compatibility. 
 You should not disable the firewall yourself for this purpose. 
 
-The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
+The proper method to disable the Windows Defender Firewall is to disable the Windows Defender Firewall Profiles and leave the service running.
 
-Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**. 
-For more information, see [Windows firewall with advanced security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
+Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Defender Firewall|Domain Prolfile|Windows Defender Firewall:Protect all network connections**. 
+For more information, see [Windows Defender Firewall with Advanced Security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
 
-The following example disables Windows Firewall with Advanced Security for all profiles.
+The following example disables Windows Defender Firewall for all profiles.
 
 ```powershell
 Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
@@ -237,13 +237,13 @@ The following scriptlet enables all rules in a predefined group containing remot
 **Netsh**
 
 ``` syntax
-netsh advfirewall firewall set rule group="windows firewall remote management" new enable=yes
+netsh advfirewall firewall set rule group="Windows Defender Firewall remote management" new enable=yes
 ```
 
 Windows PowerShell
 
 ``` syntax
-Set-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management” –Enabled True
+Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” –Enabled True
 ```
 
 There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by group or by other properties of the rule.
@@ -251,7 +251,7 @@ There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by g
 Windows PowerShell
 
 ``` syntax
-Enable-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management” -Verbose
+Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” -Verbose
 ```
 
 ### Delete a firewall rule
@@ -315,7 +315,7 @@ Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSess
 
 An Internet Protocol security (IPsec) policy consists of rules that determine IPsec behavior. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.
 
-Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Firewall with Advanced Security console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
+Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Defender Firewall with Advanced Security console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
 
 In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples.
 
@@ -524,7 +524,7 @@ New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel
 
 ## Deploy secure firewall rules with IPsec
 
-In situations where only secure traffic can be allowed through the Windows Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
+In situations where only secure traffic can be allowed through the Windows Defender Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
 
 ### Create a secure firewall rule (allow if secure)
 
@@ -579,7 +579,7 @@ The following firewall rule allows Telnet traffic from user accounts that are me
 
 A Security Descriptor Definition Language (SDDL) string is created by extending a user or group’s security identifier (SID). For more information about finding a group’s SID, see: [Finding the SID for a group account](http://technet.microsoft.com/library/cc753463(WS.10).aspx#bkmk_FINDSID).
 
-Restricting access to a group allows administrations to extend strong authentication support through Windows Firewall/and or IPsec policies.
+Restricting access to a group allows administrations to extend strong authentication support through Windows Defender Firewall and/or IPsec policies.
 
 The following example shows you how to create an SDDL string that represents security groups.
 
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
index 9cfe29f6c0..664f6f51f9 100644
--- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
@@ -1,6 +1,6 @@
 ---
-title: Windows Firewall with Advanced Security Deployment Guide (Windows 10)
-description: Windows Firewall with Advanced Security Deployment Guide
+title: Windows Defender Firewall with Advanced Security Deployment Guide (Windows 10)
+description: Windows Defender Firewall with Advanced Security Deployment Guide
 ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,25 +9,25 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Windows Firewall with Advanced Security Deployment Guide
+# Windows Defender Firewall with Advanced Security Deployment Guide
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-You can use the Windows Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
+You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
 
-You can use Windows Firewall to control access to the device from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from device to device.
+You can use Windows Defender Firewall to control access to the device from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from device to device.
 
 ## About this guide
 
-This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected.
+This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Defender Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected.
 
-Begin by reviewing the information in [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md).
+Begin by reviewing the information in [Planning to Deploy Windows Defender Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md).
 
-If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization.
+If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization.
 
-After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide:
+After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Defender Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide:
 
 -   [Basic Firewall Policy Design](basic-firewall-policy-design.md)
 
@@ -37,7 +37,7 @@ After you select your design and gather the required information about the zones
 
 -   [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
 
-Use the checklists in [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design.
+Use the checklists in [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design.
 
 >**Caution:**  We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
 
@@ -47,16 +47,16 @@ In a large enterprise environment with hundreds or thousands of GPOs, using this
 
 This guide does not provide:
 
--   Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Firewall with Advanced Security Design Guide.
+-   Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Defender Firewall with Advanced Security Design Guide.
 
 -   Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy.
 
 -   Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication.
 
-## Overview of Windows Firewall with Advanced Security
+## Overview of Windows Defender Firewall with Advanced Security
 
-Windows Firewall with Advanced Security in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Firewall with Advanced Security also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
+Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
 
-The Windows Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
+The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
 
-For more information about Windows Firewall with Advanced Security, see [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).
+For more information about Windows Defender Firewall with Advanced Security, see [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index 47830f44c9..47ca379543 100644
--- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -1,6 +1,7 @@
 ---
-title: Windows Firewall with Advanced Security Design Guide (Windows 10)
-description: Windows Firewall with Advanced Security Design Guide
+title: Windows Defender Firewall with Advanced Security Design Guide (Windows 10)
+description: Windows Defender Firewall with Advanced Security
+Design Guide
 ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,29 +10,30 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Windows Firewall with Advanced Security Design Guide
+# Windows Defender Firewall with Advanced Security
+Design Guide
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-Windows Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Firewall with Advanced Security supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
+Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
 
-The interface for Windows Firewall with Advanced Security is much more capable and flexible than the consumer-friendly interface found in the Windows Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel meets the needs for protecting a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
+The interface for Windows Defender Firewall is much more capable and flexible than the consumer-friendly interface found in the Windows Defender Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel meets the needs for protecting a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
 
-For more overview information about Windows Firewall with Advanced Security and see [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md).
+For more overview information, see [Windows Defender Firewall with Advanced Security](windows-firewall-with-advanced-security.md).
 
 ## About this guide
 
-This guide provides recommendations to help you to choose or create a design for deploying Windows Firewall with Advanced Security in your enterprise environment. The guide describes some of the common goals for using Windows Firewall with Advanced Security, and then helps you map the goals that apply to your scenario to the designs that are presented in this guide.
+This guide provides recommendations to help you to choose or create a design for deploying Windows Defender Firewall in your enterprise environment. The guide describes some of the common goals for using Windows Defender Firewall, and then helps you map the goals that apply to your scenario to the designs that are presented in this guide.
 
 This guide is intended for the IT professional who has been assigned the task of deploying firewall and IPsec technologies on an organization's network to help meet the organization's security goals.
 
-Windows Firewall with Advanced Security should be part of a comprehensive security solution that implements a variety of security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules.
+Windows Defender Firewall should be part of a comprehensive security solution that implements a variety of security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules.
 
-To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Firewall with Advanced Security, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory.
+To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Defender Firewall, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory.
 
-You can use the deployment goals to form one of these Windows Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
+You can use the deployment goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
 
 -   **Basic firewall policy design**. Restricts network traffic in and out of your devices to only that which is needed and authorized.
 
@@ -45,9 +47,10 @@ You can use the deployment goals to form one of these Windows Firewall with Adva
 
 -   **Certificate-based isolation policy design**. This design is a complement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the Kerberos V5 authentication used by default in Active Directory. This enables devices that are not part of an Active Directory domain, such as devices running operating systems other than Windows, to participate in your isolation solution.
 
-In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Firewall with Advanced Security using the guidance in the Windows Firewall with Advanced Security Deployment Guide.
+In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Defender Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Defender Firewall using the guidance in the Windows Defender Firewall with Advanced Security Deployment Guide.
 
-You can find the Windows Firewall with Advanced Security Deployment Guide at these locations:
+You can find the Windows Defender Firewal with Advanced Security
+Deployment Guide at these locations:
 
 -   (Web page)
 
@@ -57,12 +60,12 @@ You can find the Windows Firewall with Advanced Security Deployment Guide at the
 
 | Topic | Description
 | - | - |
-| [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Firewall with Advanced Security design process. |
-| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Firewall with Advanced Security deployment goals. |
-| [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. |
-| [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) | Learn how to use Windows Firewall with Advanced Security to improve the security of the computers connected to the network. |
-| [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. |
-| [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. |
+| [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Defender Firewall with Advanced Security design process. |
+| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security deployment goals. |
+| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. |
+| [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) | Learn how to use Windows Defender Firewall to improve the security of the computers connected to the network. |
+| [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. |
+| [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. |
 | [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). |
 
 ## Terminology used in this guide
@@ -74,20 +77,20 @@ The following table identifies and defines terms used throughout this guide.
 | Active Directory domain | A group of devices and users managed by an administrator by using Active Directory Domain Services (AD DS). Devices in a domain share a common directory database and security policies. Multiple domains can co-exist in a &quot;forest,&quot; with trust relationships that establish the forest as the security boundary. |
 | Authentication | A process that enables the sender of a message to prove its identity to the receiver. For connection security in Windows, authentication is implemented by the IPsec protocol suite.| 
 | Boundary zone | A subset of the devices in an isolated domain that must be able to receive unsolicited and non-authenticated network traffic from devices that are not members of the isolated domain. Devices in the boundary zone request but do not require authentication. They use IPsec to communicate with other devices in the isolated domain.| 
-| Connection security rule | A rule in Windows Firewall with Advanced Security that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an *IPsec rule*.| 
+| Connection security rule | A rule in Windows Defender Firewall that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an *IPsec rule*.| 
 | Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).| 
 | Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see &quot;Isolated domain&quot; in this table.| 
 | Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.| 
-| Firewall rule | A rule in Windows Firewall with Advanced Security that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.<br/>By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
+| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.<br/>By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
 | Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).| 
 | IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.| 
 | Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).<br/>In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.| 
 | Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The additional protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.| 
-| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Firewall with Advanced Security allows all solicited network traffic through.| 
-| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Firewall with Advanced Security blocks all unsolicited network traffic. |
+| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Defender Firewall allows all solicited network traffic through.| 
+| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Defender Firewall blocks all unsolicited network traffic. |
 | Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted.<br/>This is not related to the term zone as used by Domain Name System (DNS). |
 
-**Next:**  [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
+**Next:**  [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
 
  
 
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 4433aaf633..cb9ac4105d 100644
--- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
 ---
-title: Windows Firewall with Advanced Security (Windows 10)
-description: Windows Firewall with Advanced Security
+title: Windows Defender Firewall with Advanced Security (Windows 10)
+description: Windows Defender Firewall with Advanced Security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -8,35 +8,36 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Windows Firewall with Advanced Security
+# Windows Defender Firewall with Advanced Security
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
+This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
 
 ## Feature description
 
-Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, so Windows Firewall is also an important part of your network’s isolation strategy.
+Windows Defender Firewall with Advanced Security
+is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy.
 
 ## Practical applications
 
 
-To help address your organizational network security challenges, Windows Firewall with Advanced Security offers the following benefits:
+To help address your organizational network security challenges, Windows Defender Firewall offers the following benefits:
 
--   **Reduces the risk of network security threats.**  Windows Firewall with Advanced Security reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
+-   **Reduces the risk of network security threats.**  Windows Defender Firewall reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
 
--   **Safeguards sensitive data and intellectual property.**  With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
+-   **Safeguards sensitive data and intellectual property.**  With its integration with IPsec, Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
 
--   **Extends the value of existing investments.**  Because Windows Firewall with Advanced Security is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
+-   **Extends the value of existing investments.**  Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
 
 ## In this section
 
 | Topic | Description
 | - | - |
-| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Firewall configuration to isolate the network access of Windows Store apps that run on devices. |
+| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Windows Store apps that run on devices. |
 | [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
-| [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Firewall. |
-| [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Firewall with Advanced Security. |
-| [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) |  Learn how to deploy Windows Firewall with Advanced Security. |
+| [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Defender Firewall. |
+| [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Defender Firewall with Advanced Security. |
+| [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) |  Learn how to deploy Windows Defender Firewall with Advanced Security. |
diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md
index 7f815bfe0e..5c764b532e 100644
--- a/windows/application-management/TOC.md
+++ b/windows/application-management/TOC.md
@@ -99,3 +99,6 @@
 #### [Application Publishing and Client Interaction](app-v/appv-application-publishing-and-client-interaction.md)
 #### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md)
 #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
+## [Service Host process refactoring](svchost-service-refactoring.md)
+## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
+## [Change history for Application management](change-history-for-application-management.md)
diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md
new file mode 100644
index 0000000000..92e5039334
--- /dev/null
+++ b/windows/application-management/change-history-for-application-management.md
@@ -0,0 +1,23 @@
+---
+title: Change history for Configure Windows 10 (Windows 10)
+description: This topic lists changes to documentation for configuring Windows 10.
+keywords: 
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: jdeckerms
+---
+
+# Change history for Configure Windows 10
+
+This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+
+## July 2017
+| New or changed topic | Description |
+| --- | --- |
+| [Service Host process refactoring](svchost-service-refactoring.md) | New |
+| [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New |
+
+
diff --git a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md
new file mode 100644
index 0000000000..94540ed17d
--- /dev/null
+++ b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md
@@ -0,0 +1,58 @@
+---
+title: Application upgrades on Windows 10 Mobile
+description: Learn how to deploy upgrades to applications running on Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: kaushika-ainapure
+author: kaushika-msft
+ms.date: 07/20/2017
+---
+# Deploy application upgrades on Windows 10 Mobile
+
+> Applies to: Windows 10
+
+When you have a new version of an application, how do you get that to the Windows 10 Mobile devices in your environment? With  [application supersedence in System Center Configuration Manager](/sccm/apps/deploy-use/revise-and-supersede-applications#application-supersedence).
+
+There are two steps to deploy an app upgrade:
+
+1. [Define the supersedence](#define-app-supersedence) - this lets Configuration Manager know that the old version should be replaced by the new version.
+2. [Deploy the upgrade](#deploy-the-app-upgrade) to your users.
+
+The following steps walk you through the upgrade deployment process - we have an upgraded version of the Walking Scorer app (moving from version 12.23.2.0 to 12.23.3.0). Becasuse we previously used Configuration Manager to deploy the existing version, we'll use it now to upgrade the app. 
+
+Before you can deploy the upgrade, make sure you import the new version of the app and distribute it to your manage.microsoft.com distribution point.
+
+
+
+## Define app supersedence
+
+1. In the Configuration Manager console, open the Software Library, and then find the new version of your app.
+   ![The Software Library in Configuration Manager](media/app-upgrade-cm-console.png)
+
+2. Right-click the new version, and then click **Properties**.
+3. Click the **Supersedence** tab - there shouldn't be any supersedence rules yet. We'll add one next.
+   ![The list of supersedence rules for the app](media/app-upgrade-no-supersedence.png)
+
+4. Click **Add**, browse to the existing (older) version of the app that you're upgrading, and then click **OK**.
+5. Under **New Deployment Type** select the new version of the app. (When you imported the new version, it comes in as a new deployment type. If you're upgrading a Universal application, you'll see only one type here.)
+   ![Create a supersedence rule for the new version of the app](media/app-upgrade-supersede-deploy-type.png)
+   > [!IMPORTANT] 
+   > Do **NOT** select **Uninstall**. This tells Configuration Manager to uninstall the old version, but it does **NOT** then install the new version.
+
+6. Click **OK**.
+7. If you have other versions of the same app, repeate steps 4-6 for each version. Click **OK** when you're done.
+
+> [!NOTE]
+> Need to remove a supersedence? (Maybe the new version turned out to be flaky and you don't want users to get it yet.) On the **Supersedence** tab for the *new* version of the app, double-click the older version in the list of supersedence rules, and then change the **New Deployment Type** to **Do not replace**.
+
+## Deploy the app upgrade
+
+You're now ready to deploy the upgrade. On the **Home** tab in Configuration Manager, select the new version of the app, and then click **Deploy**, and follow the instructions in the wizard. When asked, set the **Purpose** to **Required**.
+
+You don't need to delete the deployment associated with the older version of the app. The status for that deployment will change to **Requirements not met** in the **Monitoring** view:
+
+![Monitoring view in Configuration Manager for the old version of the app](media/app-upgrade-old-version.png)
+
+If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app.
\ No newline at end of file
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
index b7ce77366d..d6c32fbe93 100644
--- a/windows/application-management/index.md
+++ b/windows/application-management/index.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Windows 10 application management
@@ -13,10 +13,12 @@ localizationpriority: medium
 **Applies to**
 -   Windows 10
 
-Learn about managing applications in Window 10 and Windows 10 Mobile clients.
+Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
 
 
 | Topic | Description |
 |---|---|
 |[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications|
 |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients|
+| [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10  |
+| [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | How to upgrade apps on Windows 10 Mobile  |
diff --git a/windows/application-management/media/app-upgrade-cm-console.png b/windows/application-management/media/app-upgrade-cm-console.png
new file mode 100644
index 0000000000..8681e2fb39
Binary files /dev/null and b/windows/application-management/media/app-upgrade-cm-console.png differ
diff --git a/windows/application-management/media/app-upgrade-no-supersedence.png b/windows/application-management/media/app-upgrade-no-supersedence.png
new file mode 100644
index 0000000000..9a9bb9bb53
Binary files /dev/null and b/windows/application-management/media/app-upgrade-no-supersedence.png differ
diff --git a/windows/application-management/media/app-upgrade-old-version.png b/windows/application-management/media/app-upgrade-old-version.png
new file mode 100644
index 0000000000..e430be170e
Binary files /dev/null and b/windows/application-management/media/app-upgrade-old-version.png differ
diff --git a/windows/application-management/media/app-upgrade-supersede-deploy-type.png b/windows/application-management/media/app-upgrade-supersede-deploy-type.png
new file mode 100644
index 0000000000..24a45c5939
Binary files /dev/null and b/windows/application-management/media/app-upgrade-supersede-deploy-type.png differ
diff --git a/windows/application-management/media/svchost-grouped-processes.png b/windows/application-management/media/svchost-grouped-processes.png
new file mode 100644
index 0000000000..d85f8e8951
Binary files /dev/null and b/windows/application-management/media/svchost-grouped-processes.png differ
diff --git a/windows/application-management/media/svchost-grouped-utilization.png b/windows/application-management/media/svchost-grouped-utilization.png
new file mode 100644
index 0000000000..cd46b0d4b4
Binary files /dev/null and b/windows/application-management/media/svchost-grouped-utilization.png differ
diff --git a/windows/application-management/media/svchost-separated-processes.png b/windows/application-management/media/svchost-separated-processes.png
new file mode 100644
index 0000000000..83df0fe580
Binary files /dev/null and b/windows/application-management/media/svchost-separated-processes.png differ
diff --git a/windows/application-management/media/svchost-separated-utilization.png b/windows/application-management/media/svchost-separated-utilization.png
new file mode 100644
index 0000000000..5c5834cc44
Binary files /dev/null and b/windows/application-management/media/svchost-separated-utilization.png differ
diff --git a/windows/application-management/media/svchost-separation-disabled.png b/windows/application-management/media/svchost-separation-disabled.png
new file mode 100644
index 0000000000..5e0e57da92
Binary files /dev/null and b/windows/application-management/media/svchost-separation-disabled.png differ
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
new file mode 100644
index 0000000000..e2f00263db
--- /dev/null
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -0,0 +1,91 @@
+---
+title: Service Host service refactoring in Windows 10 version 1703
+description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: kaushika-ainapure
+author: kaushika-msft
+ms.date: 07/19/2017
+---
+
+# Changes to Service Host grouping in Windows 10
+
+> Applies to: Windows 10
+
+The **Service Host (svchost.exe)** is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance does not affect other instances. Service Host groups are determined by combining the services with matching security requirements. For example:
+
+* Local Service
+* Local Service No Network
+* Local Service Network Restricted
+* Local System
+* Local System Network Restricted 
+* Network Service
+
+## Separating SvcHost services
+
+Beginning with Windows 10 Creators Update (version 1703), services that were previously grouped will instead be separated - each will run in its own SvcHost process. This change is automatic for systems with **more than 3.5 GB** of RAM running the Client Desktop SKU. On systems with 3.5 GB or less RAM, we'll continue to group services into a shared SvcHost process. 
+
+Benefits of this design change include:
+
+* Increased reliability by insulating critical network services from the failure of another non-network service in the host, and adding the ability to restore networking connectivity seamlessly when networking components crash.
+* Reduced support costs by eliminating the troubleshooting overhead associated with isolating misbehaving services in the shared host.
+* Increased security by providing additional inter-service isolation 
+* Increased scalability by allowing per-service settings and privileges 
+* Improved resource management through per-service CPU, I/O and memory management and increase clear telemetry (report CPU, I/O and network usage per service).
+
+>**Try This**
+>
+> To see the refactoring behavior, create a Windows 10 version 1703 VM and configure the memory settings as follows:
+> 1.	To see grouped processes, set the RAM to 3484 MB or less. Restart the VM and then open Task Manager.
+> 2.	To see separated processes, set the RAM to 3486 MB or greater. Restart the VM and then open Task Manager.
+
+
+Refactoring also makes it easier to view running processes in Task Manager. You can look at Task Manager and know exactly which service is using what resources, without having to expand many separate host groups.
+
+For example, here are the running processes displayed in Task Manager in Windows 10 version 1607:
+
+![Running processes in Task Manager, version 1607](media/svchost-grouped-processes.png) 
+  
+Compare that to the same view of running processes in Windows 10 version 1703:
+
+![Running processes in Task Manager, version 1703](media/svchost-separated-processes.png)
+  
+ 
+
+
+## Exceptions
+Some services will continue to be grouped on PCs running with 3.5GB or higher RAM. For example, the Base Filtering Engine (BFE) and the Windows Firewall (Mpssvc) will be grouped together in a single host group, as will the RPC Endpoint Mapper and Remote Procedure Call services.
+
+If you need to identify services that will continue to be grouped, in addition to seeing them in Task Manager and using command line tools, you can look for the *SvcHostSplitDisable* value in their respective service keys under 
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
+
+The default value of **1** prevents the service from being split.
+
+For example, this is the registry key configuration for BFE:
+![Example of a service that cannot be separated](media/svchost-separation-disabled.png)
+
+## Memory footprint
+
+Be aware that separating services increases the total number of SvcHost instances, which increases memory utlization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) 
+
+Consider the following:
+
+
+|Grouped Services (< 3.5GB) | Split Services (3.5GB+)
+|--------------------------------------- | ------------------------------------------ | 
+|![Memory utilization for grouped services](media/svchost-grouped-utilization.png)   |![Memory utilization for separated services](media/svchost-separated-utilization.png)       |
+
+> [!NOTE]
+> The above represents the peak observed values.
+
+The total number of service instances and the resulting memory utilization varies depending on activity. Instance counts can typically range from approximately 17-21 for grouped services, and 67-74 for separated services. 
+
+> **Try This**
+>
+>To determine the impact of splitting hosted services on a Windows 10 version 1703 PC, run the following Windows PowerShell cmdlet, before and after toggling the memory settings:
+>
+> ```powershell
+> Get-Process SvcHost | Group-Object -Property ProcessName | Format-Table Name, Count, @{n='Mem (KB)';e={'{0:N0}' -f (($_.Group|Measure-Object WorkingSet -Sum).Sum / 1KB)};a='right'} -AutoSize
+>```
diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md
index 40c24a2981..ffe541cc15 100644
--- a/windows/client-management/TOC.md
+++ b/windows/client-management/TOC.md
@@ -7,6 +7,7 @@
 ## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
 ## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md)
 ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
+## [Transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
 ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
 ## [Windows libraries](windows-libraries.md)
 ## [Mobile device management for solution providers](mdm/index.md)
diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md
index 60a5ca32e6..4c8d8e4316 100644
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Administrative Tools in Windows 10
diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md
index e3193c1854..457e51889a 100644
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerMS
 ms.author: jdecker
 ms.date: 06/13/2017
@@ -16,6 +16,12 @@ ms.date: 06/13/2017
 
 This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## July 2017 
+
+| New or changed topic | Description |
+| --- | --- |
+| [Group Policy settings that apply only to Windows 10 Enterprise and Education Editions](group-policies-for-enterprise-and-education-editions.md) | Added that Start layout policy setting can be applied to Windows 10 Pro, version 1703 |
+
 ## June 2017
 
 | New or changed topic | Description |
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index cb6ad29962..43db69d30f 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Connect to remote Azure Active Directory-joined PC
diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
index ecb2e27c4a..ff39d3cc04 100644
--- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: brianlic-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Group Policy settings that apply only to Windows 10 Enterprise and Education Editions
@@ -23,9 +23,9 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
 | **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
 | **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
 | **Do not require CTRL+ALT+DEL** </br>combined with</br>**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon </br>and</br>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](/windows/configuration/set-up-a-device-for-anyone-to-use)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. </br></br>**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
-| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight |
+| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
 | **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
-| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies)  |
+| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies)  |
 | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
 | **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
 | **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |
diff --git a/windows/client-management/index.md b/windows/client-management/index.md
index 226c9237e7..fa02e99977 100644
--- a/windows/client-management/index.md
+++ b/windows/client-management/index.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Client management
@@ -18,15 +18,15 @@ Learn about the administrative tools, tasks and best practices for managing Wind
 | Topic | Description |
 |---|---|
 |[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)| Links to documentation for tools for IT pros and advanced users in the Administrative Tools folder.|
-|[Connect to remote AADJ PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
-|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
-|[Join Windows 10 Mobile to AAD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
-|[Manage corporate devices](manage-corporate-devices.md)| Listing of resources to manage all your corporate devices running Windows 10 : desktops, laptops, tablets, and phones |
-|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs|
-|[Mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.|
+|[Create mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.|
+|[Connect to remote Azure Active Directory-joined PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
+|[Join Windows 10 Mobile to Azure AD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
 |[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10|
+|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
+| [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) | Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. |
 |[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options|
-|[Deploy Windows 10 Mobile](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
+|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs|
+|[Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
 |[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.|
 |[Mobile device management for solution providers](mdm/index.md) | Procedural and reference documentation for solution providers providing mobile device management (MDM) for Windows 10 devices. |
 |[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. |
\ No newline at end of file
diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
index 69f6f73aa0..3536562d23 100644
--- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Join Windows 10 Mobile to Azure Active Directory
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index b5e9a331ae..78ca7c8d39 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage corporate devices
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 1607cad11f..396ee16956 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage Windows 10 in your organization - transitioning to modern management
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index e249f70aa6..e9a60b1ed6 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -17,8 +17,7 @@ ms.date: 06/13/2017
 
 -   Windows 10
 
-> [!NOTE]
-> When a mandatory profile is applied to a PC running Windows 10, version 1511, some features such as Universal Windows Platform (UWP) apps, the Start menu, Cortana, and Search, will not work correctly. This will be fixed in a future update. 
+
 
 A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. 
 
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 8c297f234b..2d6046fef1 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -6,6 +6,7 @@
 ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
 ### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
 ## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md)
+## [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)
 ## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)
 ## [Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)
 ## [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)
@@ -194,14 +195,17 @@
 #### [DeviceInstallation](policy-csp-deviceinstallation.md)
 #### [DeviceLock](policy-csp-devicelock.md)
 #### [Display](policy-csp-display.md)
+#### [Education](policy-csp-education.md)
 #### [EnterpriseCloudPrint](policy-csp-enterprisecloudprint.md)
 #### [ErrorReporting](policy-csp-errorreporting.md)
 #### [EventLogService](policy-csp-eventlogservice.md)
 #### [Experience](policy-csp-experience.md)
+#### [ExploitGuard](policy-csp-exploitguard.md)
 #### [Games](policy-csp-games.md)
 #### [InternetExplorer](policy-csp-internetexplorer.md)
 #### [Kerberos](policy-csp-kerberos.md)
 #### [Licensing](policy-csp-licensing.md)
+#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
 #### [Location](policy-csp-location.md)
 #### [LockDown](policy-csp-lockdown.md)
 #### [Maps](policy-csp-maps.md)
@@ -228,6 +232,7 @@
 #### [TimeLanguageSettings](policy-csp-timelanguagesettings.md)
 #### [Update](policy-csp-update.md)
 #### [Wifi](policy-csp-wifi.md)
+#### [WindowsDefenderSecurityCenter](policy-csp-windowsdefendersecuritycenter.md)
 #### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md)
 #### [WindowsLogon](policy-csp-windowslogon.md)
 #### [WirelessDisplay](policy-csp-wirelessdisplay.md)
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index e1097181a3..7564c89e41 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/10/2017
 ---
 
 # AppLocker CSP
@@ -156,6 +156,20 @@ Each of the previous nodes contains one or more of the following leaf nodes:
 <td><p>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</p>
 <p>Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.</p>
 <p>For CodeIntegrity/Policy, you can use the [certutil -encode](http://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool to encode the data to base-64.</p>
+<p>Here is a sample certutil invocation:</p>
+
+```
+certutil -encode WinSiPolicy.p7b WinSiPolicy.txt
+```
+
+<p>Use only the data enclosed in the BEGIN CERTIFIFCATE and END CERTIFICATE section. Ensure that you have removed all line breaks before passing the data to the CSP node.</p>
+<p>An alternative to using certutil would be to use the following PowerShell invocation:</p>
+
+``` 
+[Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))
+```
+
+<p>If you are using Hybrid MDM management with System Center Configuration Manager please ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.</p>
 <p>Data type is string. Supported operations are Get, Add, Delete, and Replace.</p></td>
 </tr>
 <tr class="even">
@@ -777,8 +791,70 @@ The following list shows the apps that may be included in the inbox.
 
  
 
-## Whitelist example
+## Whitelist examples
 
+The following example disables the calendar application.
+
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+    <SyncBody>
+        <Add>
+            <CmdID>$CmdID$</CmdID>
+            <Item>
+                <Target>
+                    <LocURI>./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions</LocURI>
+                </Target>
+                <Meta>
+                    <Format xmlns="syncml:metinf">chr</Format>
+                    <Type xmlns="syncml:metinf">text/plain</Type>
+                </Meta>
+                <Data>&lt;AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"&gt;&lt;Deny&gt;&lt;App ProductId="{a558feba-85d7-4665-b5d8-a2ff9c19799b}"/&gt;&lt;/Deny&gt;&lt;/AppPolicy&gt;
+                </Data>
+            </Item>
+        </Add>
+        <Final/>
+    </SyncBody>
+</SyncML>
+```
+
+The following example blocks the usage of the map application.
+
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Add>
+      <CmdID>$CmdID$</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/AppLockerPhoneGroup0/StoreApps/Policy</LocURI>
+        </Target>
+        <Meta>
+          <Format xmlns="syncml:metinf">chr</Format>
+        </Meta>
+        <Data>
+            &lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
+                &lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed Appx packages" Description="Allows members of the Everyone group to run Appx packages that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
+                    &lt;Conditions&gt;
+                    &lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
+                    &lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
+                    &lt;/FilePublisherCondition&gt;
+                    &lt;/Conditions&gt;
+                &lt;/FilePublisherRule&gt;
+
+                &lt;FilePublisherRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="Deny Splash appmaps" Description="Deny members of the local Administrators group to run maps." UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
+                  &lt;Conditions&gt;
+                    &lt;FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" /&gt;
+                  &lt;/Conditions&gt;
+                &lt;/FilePublisherRule&gt;
+                
+            &lt;/RuleCollection&gt;
+        </Data>
+      </Item>
+    </Add>
+   <Final/>
+  </SyncBody>
+</SyncML>	
+```
 
 The following example for Windows 10 Mobile denies all apps and allows the following apps:
 
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 8c6466d2d4..59f79b2a6c 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -7,11 +7,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/27/2017
 ---
 
 # AssignedAccess CSP
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration.
 
@@ -19,8 +21,6 @@ For step-by-step guide for setting up devices to run in kiosk mode, see [Set up
 
 > **Note**  The AssignedAccess CSP is only supported in Windows 10 Enterprise and Windows 10 Education.
 
- 
-
 The following diagram shows the AssignedAccess configuration service provider in tree format
 
 ![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png)
@@ -36,21 +36,29 @@ In Windows 10, version 1607, you can use a provisioned app to configure the kio
 Here's an example:
 
 ``` syntax
-{"Account":"redmond\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
+{"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
 ```
 
 When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
 
 > **Note**  The domain name can be optional if the user name is unique across the system.
 
- 
 
 For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
 
+
 The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
 
-## Examples
+<a href="" id="assignedaccess-configuration"></a>**AssignedAccess/Configuration**  
+Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Overview of the AssignedAccessConfiguration XML](#overview-of-the-assignedaccessconfiguration-xml). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). 
 
+Enterprises can use this to easily configure and manage the curated lockdown experience. 
+
+Supported operations are Add, Get, Delete, and Replace.
+
+Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout).
+
+## Examples
 
 KioskModeApp Add
 
@@ -132,11 +140,319 @@ KioskModeApp Replace
 </SyncML>
 ```
 
+## AssignedAccessConfiguration XSD
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema
+    elementFormDefault="qualified"
+    xmlns:xs="http://www.w3.org/2001/XMLSchema"
+    xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
+    targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
+    >
+
+    <xs:complexType name="profile_list_t">
+        <xs:sequence minOccurs="1" >
+            <xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded">
+                <xs:unique name="duplicateRolesForbidden">
+                    <xs:selector xpath="Profile"/>
+                    <xs:field xpath="@Id"/>
+                </xs:unique>
+            </xs:element>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="profile_t">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1">
+                <xs:unique name="ForbidDupApps">
+                    <xs:selector xpath="App"/>
+                    <xs:field xpath="@AppUserModelId"/>
+                    <xs:field xpath="@DesktopAppPath"/>
+                </xs:unique>
+            </xs:element>
+            <xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
+            <xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
+        </xs:sequence>
+        <xs:attribute name="Id" type="guid_t" use="required"/>
+        <xs:attribute name="Name" type="xs:string" use="optional"/>
+    </xs:complexType>
+
+    <xs:complexType name="allappslist_t">
+        <xs:sequence minOccurs="1" >
+            <xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1">
+            </xs:element>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="allowedapps_t">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="App" type="app_t" minOccurs="1" maxOccurs="unbounded">
+                <xs:key name="mutexAumidOrDesktopApp">
+                    <xs:selector xpath="."/>
+                    <xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
+                </xs:key>
+            </xs:element>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="app_t">
+        <xs:attribute name="AppUserModelId" type="xs:string"/>
+        <xs:attribute name="DesktopAppPath" type="xs:string"/>
+    </xs:complexType>
+
+    <xs:complexType name="taskbar_t">
+        <xs:attribute name="ShowTaskbar" type="xs:boolean" use="required"/>
+    </xs:complexType>
+
+    <xs:complexType name="profileId_t">
+        <xs:attribute name="Id" type="guid_t" use="required"/>
+    </xs:complexType>
+
+    <xs:simpleType name="guid_t">
+        <xs:restriction base="xs:string">
+            <xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:complexType name="config_list_t">
+        <xs:sequence minOccurs="1" >
+            <xs:element name="Config" type="config_t" minOccurs="1" maxOccurs="unbounded"/>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="config_t">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
+            <xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
+        </xs:sequence>
+    </xs:complexType>
+
+    <!--below is the definition of the config xml content-->
+    <xs:element name="AssignedAccessConfiguration">
+        <xs:complexType>
+            <xs:all minOccurs="1">
+                <xs:element name="Profiles" type="profile_list_t">
+                </xs:element>
+                <xs:element name="Configs" type="config_list_t"/>
+            </xs:all>
+        </xs:complexType>
+    </xs:element>
+</xs:schema>
+```
+
+## Overview of the AssignedAccessConfiguration XML  
+
+Let's start by looking at the basic structure of the XML file.  
+
+-  A configuration xml can define multiple profiles, each profile has a unique Id and defines a curated set of applications that are allowed to run.  
+-  A configuration xml can have multiple configs, each config associates a non-admin user account to a default profile Id. 
+-  A profile has no effect if it’s not associated to a user account.  
  
+A profile node has below information:  
 
+-  Id: a GUID attribute to uniquely identify the Profile. 
+-  AllowedApps: a node with a list of allowed to run applications, could be UWP apps or desktop apps.  
+-  StartLayout: a node for startlayout policy xml.  
+-  Taskbar: a node with a Boolean attribute ShowTaskbar to indicate whether to show taskbar.  
+
+You can start your file by pasting the following XML (or any other examples in this doc) into a XML editor, and saving the file as filename.xml. 
+
+``` syntax
+<?xml version="1.0" encoding="utf-8" ?> 
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> 
+    <Profiles> 
+        <Profile Id=""> 
+            <AllAppsList> 
+                <AllowedApps/> 
+            </AllAppsList>          
+            <StartLayout/> 
+            <Taskbar/> 
+        </Profile> 
+    </Profiles> 
+    <Configs> 
+        <Config> 
+            <Account/> 
+            <DefaultProfile Id=""/> 
+        </Config> 
+    </Configs> 
+</AssignedAccessConfiguration> 
+```
  
+### Allowed apps
 
+Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps, which is used to generate the assigned access AppLocker rules.  
 
+-  For Windows apps, you need to provide the App User Model ID (AUMID).  
+   -  [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or  
+   -  Get the AUMID via the [Start Layout XML](#start-layout).  
+-  For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%). 
 
+Here are the predefined assigned access AppLocker rules:  
 
+**For UWP apps**
+    
+1. Default rule is to allow all users to launch the signed package apps.  
+2. The package app deny list is generated at run time when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed package apps enterprises defined in the assigned access configuration. This deny list will be used to prevent the user from accessing the apps which are available for the user but not in the allowed list.  
+ 
+> [!Note]   
+> Assigned access multi-app mode doesn’t block the enterprises or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in back next time, it will be included in the deny list. If this is an enterprise deployed LoB app and you want to allow it running, make sure update the assigned access configuration to include it in the allowed app list.  
+ 
+**For Win32 apps**
 
+1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. Also the rule allows admin user group to launch all desktop programs.  
+2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list you defined in the multi-app configuration.  
+3. Enterprise defined allowed desktop apps are added in the AppLocker allow list.  
+
+The following example makes Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps allowed to run on the device.  
+
+``` syntax
+      <AllAppsList> 
+        <AllowedApps> 
+          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
+          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
+          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
+          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
+          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
+          <App DesktopAppPath="%windir%\system32\mspaint.exe" /> 
+          <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> 
+        </AllowedApps> 
+      </AllAppsList> 
+```
+
+### Start layout
+
+Once you have defined the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset depending on whether you want the end user to directly access them on the Start.  
+ 
+The easiest way for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout.  
+
+A few things to note here: 
+
+-  The test device on which you customize the Start layout should have the same OS version that is installed on the device you plan to deploy the multi-app assigned access configuration.  
+-  Since the multi-app assigned access experience is intended for fixed purpose devices, to ensure the device experiences are consistent and predictable, use the full Start layout option instead of the partial Start layout.  
+-  There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the CustomTaskbarLayoutCollection tag in a layout modification XML as part of the assigned access configuration.  
+
+The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps on Start.  
+
+```syntax
+      <StartLayout> 
+        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> 
+                      <LayoutOptions StartTileGroupCellWidth="6" /> 
+                      <DefaultLayoutOverride> 
+                        <StartLayoutCollection> 
+                          <defaultlayout:StartLayout GroupCellWidth="6"> 
+                            <start:Group Name="Group1"> 
+                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
+                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
+                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
+                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
+                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
+                            </start:Group> 
+                            <start:Group Name="Group2"> 
+                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> 
+                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> 
+                            </start:Group> 
+                          </defaultlayout:StartLayout> 
+                        </StartLayoutCollection> 
+                      </DefaultLayoutOverride> 
+                    </LayoutModificationTemplate> 
+                ]]> 
+      </StartLayout> 
+```
+
+For additional information, see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout)
+
+### Taskbar  
+
+Define whether you want to have the taskbar present in the kiosk device. For tablet based or touch enabled All-In-One kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.  
+The following example exposes the taskbar to the end user: 
+
+``` syntax
+      <Taskbar ShowTaskbar="true"/> 
+```
+The following example hides the taskbar: 
+
+``` syntax
+      <Taskbar ShowTaskbar="false"/> 
+```
+
+> [!Note] 
+> This is different with the “Automatically hide the taskbar” option in tablet mode which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting “ShowTaskbar” as “false” will always hide the taskbar.  
+
+### Profiles and configs
+
+In the XML file, you define each profile with a GUID. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.  
+
+``` syntax
+  <Profiles> 
+    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">…</Profile> 
+  </Profiles>
+```
+
+Under Configs, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, start layout, taskbar configuration as well as other local group policies/MDM policies set as part of the multi-app experience.  
+
+``` syntax
+  <Configs> 
+    <Config> 
+      <Account>MultiAppKioskUser</Account> 
+      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> 
+    </Config> 
+  </Configs>  
+```
+
+> [!Note]  
+> - The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile, doing this in the XML file will result unexpected/unsupported experiences when this admin user signs in.   
+> - Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. 
+
+### Example AssignedAccessConfiguration XML
+
+``` syntax
+<?xml version="1.0" encoding="utf-8" ?> 
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> 
+  <Profiles> 
+    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> 
+      <AllAppsList> 
+        <AllowedApps> 
+          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
+          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
+          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
+          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
+          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
+          <App DesktopAppPath="%windir%\system32\mspaint.exe" /> 
+          <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> 
+        </AllowedApps> 
+      </AllAppsList> 
+      <StartLayout> 
+        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> 
+                      <LayoutOptions StartTileGroupCellWidth="6" /> 
+                      <DefaultLayoutOverride> 
+                        <StartLayoutCollection> 
+                          <defaultlayout:StartLayout GroupCellWidth="6"> 
+                            <start:Group Name="Group1"> 
+                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
+                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
+                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
+                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
+                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
+                            </start:Group> 
+                            <start:Group Name="Group2"> 
+                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> 
+                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> 
+                            </start:Group> 
+                          </defaultlayout:StartLayout> 
+                        </StartLayoutCollection> 
+                      </DefaultLayoutOverride> 
+                    </LayoutModificationTemplate> 
+                ]]> 
+      </StartLayout> 
+      <Taskbar ShowTaskbar="true"/> 
+    </Profile> 
+  </Profiles> 
+  <Configs> 
+    <Config> 
+      <Account>MultiAppKioskUser</Account> 
+      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> 
+    </Config> 
+  </Configs> 
+</AssignedAccessConfiguration> 
+```
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index f3cb07376f..a5f029da79 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -7,11 +7,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/27/2017
 ---
 
 # AssignedAccess DDF
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 
@@ -20,13 +22,15 @@ You can download the DDF files from the links below:
 - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
 
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
-    "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
-    [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+  [
+    <?oma-dm-ddf-ver supported-versions="1.2"?>
+]>
 <MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
     <VerDTD>1.2</VerDTD>
     <Node>
@@ -46,25 +50,52 @@ The XML below is the current version for this CSP.
                 <Permanent />
             </Scope>
             <DFType>
-                <DDFName></DDFName>
+                <MIME>com.microsoft/1.1/MDM/AssignedAccess</MIME>
             </DFType>
         </DFProperties>
         <Node>
             <NodeName>KioskModeApp</NodeName>
             <DFProperties>
                 <AccessType>
+                    <Get />
                     <Add />
                     <Delete />
-                    <Get />
                     <Replace />
                 </AccessType>
-                <Description>This node can accept and return json string which comprises of account name and AUMID for Kiosk mode app. 
+                <Description>This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
 
 Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. 
 
 When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
 
-This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. </Description>
+This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same.</Description>
+                <DFFormat>
+                    <chr />
+                </DFFormat>
+                <Occurrence>
+                    <One />
+                </Occurrence>
+                <Scope>
+                    <Dynamic />
+                </Scope>
+                <CaseSense>
+                    <CIS />
+                </CaseSense>
+                <DFType>
+                    <MIME>text/plain</MIME>
+                </DFType>
+            </DFProperties>
+        </Node>
+        <Node>
+            <NodeName>Configuration</NodeName>
+            <DFProperties>
+                <AccessType>
+                    <Get />
+                    <Add />
+                    <Delete />
+                    <Replace />
+                </AccessType>
+                <Description>This node accepts an AssignedAccessConfiguration xml as input. Please check out samples and required xsd on MSDN.</Description>
                 <DFFormat>
                     <chr />
                 </DFFormat>
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index d205a19291..aeea498de9 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -634,7 +634,6 @@ Alert sample:
   <Item> 
    <Meta> 
     <Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type> 
-    <Format xmlns=”syncml:metinf”>chr</Format> 
    </Meta> 
    <Data>UserToken inserted here</Data> 
   </Item> 
@@ -664,7 +663,6 @@ Here's an example.
   <Item> 
    <Meta> 
     <Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type> 
-    <Format xmlns=”syncml:metinf”>chr</Format> 
    </Meta> 
    <Data>user</Data> 
   </Item> 
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 24db3c3c45..6b49909e86 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/05/2017
+ms.date: 08/28/2017
 ---
 
 # BitLocker CSP
@@ -34,6 +34,11 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <p style="margin-left: 20px">Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.</p>
 
+- 0 (default) – Storage cards do not need to be encrypted.
+- 1 – Require Storage cards to be encrypted.  
+
+<p style="margin-left: 20px">Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.</p>
+ 
 <p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
 
 ``` syntax
@@ -86,8 +91,38 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
 
-<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**  
-<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)" (Policy EncryptionMethodWithXts_Name).</p>
+<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType** 
+<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table> 
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)*</li>
+<li>GP name: *EncryptionMethodWithXts_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.</p>
 
@@ -106,12 +141,11 @@ The following diagram shows the BitLocker configuration service provider in tree
 <p style="margin-left: 20px">EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.</p>
 
 <p style="margin-left: 20px"> The possible values for 'xx' are:</p>
-<ul>
-<li>3 = AES-CBC 128</li>
-<li>4 = AES-CBC 256</li>
-<li>6 = XTS-AES 128</li>
-<li>7 = XTS-AES 256</li>
-</ul>
+
+- 3 = AES-CBC 128
+- 4 = AES-CBC 256
+- 6 = XTS-AES 128
+- 7 = XTS-AES 256
 
 > [!Note]  
 > When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.  
@@ -136,7 +170,37 @@ The following diagram shows the BitLocker configuration service provider in tree
 <p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**  
-<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup" (ConfigureAdvancedStartup_Name ).</p>
+<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table> 
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Require additional authentication at startup*</li>
+<li>GP name: *ConfigureAdvancedStartup_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.</p>
 
@@ -147,6 +211,9 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <p style="margin-left: 20px">On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.</p>
 
+> [!Note]  
+> In Windows 10, version 1709, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
+
 <p style="margin-left: 20px">If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.</p>
 
 <p style="margin-left: 20px">If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.</p>
@@ -200,10 +267,45 @@ The following diagram shows the BitLocker configuration service provider in tree
 <p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**  
-<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup" (GP MinimumPINLength_Name).</p>
+<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name:*Configure minimum PIN length for startup*</li>
+<li>GP name: *MinimumPINLength_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
 
+> [!Note]  
+> In Windows 10, version 1709, you can use a minimum PIN length of 4 digits. 
+>
+>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.
+
 <p style="margin-left: 20px">If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.</p>
 
 <p style="margin-left: 20px">If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.</p>
@@ -235,6 +337,36 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**  
 <p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Configure pre-boot recovery message and URL*</li>
+<li>GP name: *PrebootRecoveryInfo_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
 </p>
@@ -251,14 +383,13 @@ The following diagram shows the BitLocker configuration service provider in tree
 <enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
 ```
 <p style="margin-left: 20px">The possible values for 'xx' are:</p>
-<ul>
-<li>0 = Empty</li>
-<li>1 = Use default recovery message and URL.</li>
-<li>2 = Custom recovery message is set.</li>
-<li>3 = Custom recovery URL is set.</li>
-<li>'yy' = string of max length 900.</li>
-<li>'zz' = string of max length 500.</li>
-</ul>
+
+-  0 = Empty
+-  1 = Use default recovery message and URL.
+-  2 = Custom recovery message is set.
+-  3 = Custom recovery URL is set.
+-  'yy' = string of max length 900.
+-  'zz' = string of max length 500.
 
 > [!Note]  
 > When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
@@ -287,6 +418,36 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**  
 <p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Choose how BitLocker-protected operating system drives can be recovered*</li>
+<li>GP name: *OSRecoveryUsage_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.</p>
 
@@ -354,7 +515,37 @@ The following diagram shows the BitLocker configuration service provider in tree
 <p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**  
-<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (FDVRecoveryUsage_Name).</p>
+<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Choose how BitLocker-protected fixed drives can be recovered*</li>
+<li>GP name: *FDVRecoveryUsage_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.</p>
 
@@ -424,6 +615,36 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**  
 <p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Deny write access to fixed drives not protected by BitLocker*</li>
+<li>GP name: *FDVDenyWriteAccess_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.</p>
 
@@ -456,6 +677,36 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**  
 <p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Deny write access to removable drives not protected by BitLocker*</li>
+<li>GP name: *RDVDenyWriteAccess_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Removeable Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p>
 
@@ -497,6 +748,31 @@ The following diagram shows the BitLocker configuration service provider in tree
                          </Replace>
 ```
 
+<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**  
+
+<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
+
+<p style="margin-left: 20px">The following list shows the supported values:</p>
+
+-   0 – Disables the warning prompt.
+-   1 (default) – Warning prompt allowed.
+
+<p style="margin-left: 20px">Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:</p>
+
+``` syntax
+<Replace>
+	<CmdID>110</CmdID>
+	<Item>
+		<Target>
+			<LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
+		</Target>
+		<Meta>
+			<Format xmlns="syncml:metinf">int</Format>
+		</Meta>
+		<Data>0</Data>
+	</Item>
+</Replace>
+```
 
 ### SyncML example
 
@@ -661,29 +937,3 @@ The following example is provided to show proper format and should not be taken
     </SyncBody>
 </SyncML>
 ```
-
-<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**  
-
-<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
-
-<p style="margin-left: 20px">The following list shows the supported values:</p>
-
--   0 – Disables the warning prompt.
--   1 (default) – Warning prompt allowed.
-
-<p style="margin-left: 20px">Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:</p>
-
-``` syntax
-<Replace>
-	<CmdID>110</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">int</Format>
-		</Meta>
-		<Data>0</Data>
-	</Item>
-</Replace>
-```
\ No newline at end of file
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 392f0820ef..7e2371d151 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -183,14 +183,15 @@ The following diagram shows the CM\_CellularEntries configuration service provid
 <p style="margin-left: 20px"> For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
 
 <a href="" id="purposegroups"></a>**PurposeGroups**  
-<p style="margin-left: 20px"> Optional. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
+<p style="margin-left: 20px"> Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
 
 -   Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
 -   MMS - 53E2C5D3-D13C-4068-AA38-9C48FF2E55A8
 -   IMS - 474D66ED-0E4B-476B-A455-19BB1239ED13
 -   SUPL - 6D42669F-52A9-408E-9493-1071DCC437BD
--   Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB  (added in the next version of Windows 10)
--   Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364  (added in the next version of Windows 10)
+-   Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB  
+-   Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364  
+-   Application - 52D7654A-00A8-4140-806C-087D66705306
 
 ## Additional information
 
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index f5bba14384..f619993de2 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -840,8 +840,8 @@ Footnotes:
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 </tr>
 </table>
 
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index c1c33e5921..5eb786803f 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -150,34 +150,37 @@ The following diagram shows the DevDetail configuration service provider managem
 > [!NOTE]
 > This is not supported in Windows 10 for desktop editions.
 
-<a href="" id="volteservicesetting"></a>**VoLTEServiceSetting**  
+<a href="" id="volteservicesetting"></a>**Ext/VoLTEServiceSetting**  
 <p style="margin-left: 20px">Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
 
 <p style="margin-left: 20px">Supported operation is Get.
 
-<a href="" id="wlanipv4address"></a>**WlanIPv4Address**  
+<a href="" id="wlanipv4address"></a>**Ext/WlanIPv4Address**  
 <p style="margin-left: 20px">Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
 
 <p style="margin-left: 20px">Supported operation is Get.
 
-<a href="" id="wlanipv6address"></a>**WlanIPv6Address**  
+<a href="" id="wlanipv6address"></a>**Ext/WlanIPv6Address**  
 <p style="margin-left: 20px">Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
 
 <p style="margin-left: 20px">Supported operation is Get.
 
-<a href="" id="wlandnssuffix"></a>**WlanDnsSuffix**  
+<a href="" id="wlandnssuffix"></a>**Ext/WlanDnsSuffix**  
 <p style="margin-left: 20px">Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
 
 <p style="margin-left: 20px">Supported operation is Get.
 
-<a href="" id="wlansubnetmask"></a>**WlanSubnetMask**  
+<a href="" id="wlansubnetmask"></a>**Ext/WlanSubnetMask**  
 <p style="margin-left: 20px">Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
 
 <p style="margin-left: 20px">Supported operation is Get.
 
-<a href="" id="devicehardwaredata"></a>**DeviceHardwareData**  
+<a href="" id="devicehardwaredata"></a>**Ext/DeviceHardwareData**  
 <p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
 
+> [!Note]  
+> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
+
 <p style="margin-left: 20px">Supported operation is Get.
 
 ## Related topics
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index 7b74bff2f6..1edda04b19 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -54,7 +54,7 @@ This section describes how this is done. The following diagram shows the server-
 MSDN provides much information about the Server-Server sync protocol. In particular:
 
 -   It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](http://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
--   You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https:<span></span>//fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
+-   You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://sws.update.microsoft.com/ServerSyncWebService/serversyncwebservice.asmx.
 
 Some important highlights:
 
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index 48dbeed8c0..562f8b5117 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -7,12 +7,15 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/10/2017
 ---
 
 # DeviceManageability CSP
 
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
 
 For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information. 
@@ -30,11 +33,24 @@ Interior node.
 <a href="" id="capabilities-cspversions"></a>**Capabilities/CSPVersions**  
 Returns the versions of all configuration service providers supported on the device for the MDM service.
 
+<a href="" id="capabilities"></a>**Provider**  
+Added in Windows 10, version 1709. Interior node.
 
+<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_**  
+Added in Windows 10, version 1709. Provider ID of the configuration source.
 
- 
+<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/ConfigInfo**  
+Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session.
+
+The MDM server can query ConfigInfo to determine the settings of the traditional PC management system. The MDM can also configure ConfigInfo with its own device management information.
+
+Data type is string. Supported operations are Add, Get, Delete, and Replace.
+
+<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/EnrollmentInfo**  
+Added in Windows 10, version 1709. Enrollment information string value set by the configuration source. Recommended to send to server during MDM enrollment.
+
+Data type is string. Supported operations are Add, Get, Delete, and Replace. 
 
- 
 
 
 
diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md
index f45881a241..a1f646623e 100644
--- a/windows/client-management/mdm/devicemanageability-ddf.md
+++ b/windows/client-management/mdm/devicemanageability-ddf.md
@@ -7,12 +7,15 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/10/2017
 ---
 
 # DeviceManageability DDF
 
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
 
 You can download the DDF files from the links below:
@@ -20,7 +23,7 @@ You can download the DDF files from the links below:
 - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
 
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@@ -46,7 +49,7 @@ The XML below is the current version for this CSP.
             <Permanent />
           </Scope>
           <DFType>
-            <MIME>com.microsoft/1.0/MDM/DeviceManageability</MIME>
+            <MIME>com.microsoft/1.1/MDM/DeviceManageability</MIME>
           </DFType>
         </DFProperties>
         <Node>
@@ -90,9 +93,105 @@ The XML below is the current version for this CSP.
             </DFProperties>
           </Node>
         </Node>
+        <Node>
+          <NodeName>Provider</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+              <Add />
+              <Delete />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFTitle>Provider</DFTitle>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName></NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Add />
+                <Delete />
+              </AccessType>
+              <Description>Provider ID String of the Configuration Source</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>ProviderID</DFTitle>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>ConfigInfo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                  <Add />
+                  <Delete />
+                </AccessType>
+                <Description>Configuration Info string value set by the config source. Recommended to be used during sync session.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFTitle>ConfigInfo</DFTitle>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>EnrollmentInfo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Add />
+                  <Delete />
+                  <Replace />
+                </AccessType>
+                <Description>Enrollment Info string value set by the config source. Recommended to sent to server during MDM enrollment.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFTitle>EnrollmentInfo</DFTitle>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
       </Node>
 </MgmtTree>
-
 ```
 
  
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 9abf518c45..2d8c6f0b32 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -12,6 +12,8 @@ ms.date: 06/19/2017
 
 # DeviceStatus CSP
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
 
@@ -113,32 +115,32 @@ Boolean value that indicates compliance with the enterprise encryption policy. T
 Supported operation is Get.
 
 <a href="" id="devicestatus-tpm"></a>**DeviceStatus/TPM**  
-Added in , version 1607. Node for the TPM query.
+Added in Windows, version 1607. Node for the TPM query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-tpm-specificationversion"></a>**DeviceStatus/TPM/SpecificationVersion**  
-Added in , version 1607. String that specifies the specification version.
+Added in Windows, version 1607. String that specifies the specification version.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-os"></a>**DeviceStatus/OS**  
-Added in , version 1607. Node for the OS query.
+Added in Windows, version 1607. Node for the OS query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-os-edition"></a>**DeviceStatus/OS/Edition**  
-Added in , version 1607. String that specifies the OS edition.
+Added in Windows, version 1607. String that specifies the OS edition.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-antivirus"></a>**DeviceStatus/Antivirus**  
-Added in , version 1607. Node for the antivirus query.
+Added in Windows, version 1607. Node for the antivirus query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-antivirus-signaturestatus"></a>**DeviceStatus/Antivirus/SignatureStatus**  
-Added in , version 1607. Integer that specifies the status of the antivirus signature.
+Added in Windows, version 1607. Integer that specifies the status of the antivirus signature.
 
 Valid values:
 
@@ -149,7 +151,7 @@ Valid values:
 Supported operation is Get.
 
 <a href="" id="devicestatus-antivirus-status"></a>**DeviceStatus/Antivirus/Status**  
-Added in , version 1607. Integer that specifies the status of the antivirus.
+Added in Windows, version 1607. Integer that specifies the status of the antivirus.
 
 Valid values:
 
@@ -162,27 +164,27 @@ Valid values:
 Supported operation is Get.
 
 <a href="" id="devicestatus-antispyware"></a>**DeviceStatus/Antispyware**  
-Added in , version 1607. Node for the antispyware query.
+Added in Windows, version 1607. Node for the antispyware query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**  
-Added in , version 1607. Integer that specifies the status of the antispyware signature.
+Added in Windows, version 1607. Integer that specifies the status of the antispyware signature.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**  
-Added in , version 1607. Integer that specifies the status of the antispyware.
+Added in Windows, version 1607. Integer that specifies the status of the antispyware.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-firewall"></a>**DeviceStatus/Firewall**  
-Added in , version 1607. Node for the firewall query.
+Added in Windows, version 1607. Node for the firewall query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-firewall-status"></a>**DeviceStatus/Firewall/Status**  
-Added in , version 1607. Integer that specifies the status of the firewall.
+Added in Windows, version 1607. Integer that specifies the status of the firewall.
 
 Valid values:
 
@@ -195,43 +197,84 @@ Valid values:
 Supported operation is Get.
 
 <a href="" id="devicestatus-uac"></a>**DeviceStatus/UAC**  
-Added in , version 1607. Node for the UAC query.
+Added in Windows, version 1607. Node for the UAC query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-uac-status"></a>**DeviceStatus/UAC/Status**  
-Added in , version 1607. Integer that specifies the status of the UAC.
+Added in Windows, version 1607. Integer that specifies the status of the UAC.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-battery"></a>**DeviceStatus/Battery**  
-Added in , version 1607. Node for the battery query.
+Added in Windows, version 1607. Node for the battery query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-battery-status"></a>**DeviceStatus/Battery/Status**  
-Added in , version 1607. Integer that specifies the status of the battery
+Added in Windows, version 1607. Integer that specifies the status of the battery
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-battery-estimatedchargeremaining"></a>**DeviceStatus/Battery/EstimatedChargeRemaining**  
-Added in , version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
+Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
 
 The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-battery-estimatedruntime"></a>**DeviceStatus/Battery/EstimatedRuntime**  
-Added in , version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
+Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
 
 The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
 
 Supported operation is Get.
 
- 
-
- 
+<a href="" id="devicestatus-domainname"></a>**DeviceStatus/DomainName**  
+Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device is not domain-joined, it returns an empty string.
 
+Supported operation is Get.
+
+<a href="" id="devicestatus-deviceguard"></a>**DeviceStatus/DeviceGuard**  
+Added in Windows, version 1709. Node for Device Guard query.
+
+Supported operation is Get.
+
+<a href="" id="devicestatus-deviceguard-virtualizationbasedsecurityhwreq"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**  
+Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask.
+
+-	0x0: System meets hardware configuration requirements
+-	0x1: SecureBoot required 
+-	0x2: DMA Protection required
+-	0x4: HyperV not supported for Guest VM
+-	0x8: HyperV feature is not available
+
+Supported operation is Get.
+
+<a href="" id="devicestatus-deviceguard-virtualizationbasedsecuritystatus"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**  
+Added in Windows, version 1709. Virtualization-based security status.  Value is one of the following:
+-	0 - Running
+-	1 - Reboot required 
+-	2 - 64 bit architecture required 
+-	3 - not licensed 
+-	4 - not configured 
+-	5 - System doesn't meet hardware requirements 
+-	42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
+
+
+Supported operation is Get.
+
+<a href="" id="devicestatus-deviceguard-lsacfgcredguardstatus"></a>**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**  
+Added in Windows, version 1709. Local System Authority (LSA) credential guard status.
+
+-	0 - Running
+-	1 - Reboot required
+-	2 - Not licensed for Credential Guard
+-	3 - Not configured
+-	4 - VBS not running 
+
+
+Supported operation is Get.
 
 
 
diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md
index 9fc150cf5b..b9e8608716 100644
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
@@ -7,11 +7,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/24/2017
 ---
 
 # DeviceStatus DDF
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 This topic shows the OMA DM device description framework (DDF) for the **DeviceStatus** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 
@@ -20,7 +22,7 @@ You can download the DDF files from the links below:
 - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
 
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@@ -46,7 +48,7 @@ The XML below is the current version for this CSP.
             <Permanent />
           </Scope>
           <DFType>
-              <MIME>com.microsoft/1.2/MDM/DeviceStatus</MIME>
+            <MIME>com.microsoft/1.4/MDM/DeviceStatus</MIME>
           </DFType>
         </DFProperties>
         <Node>
@@ -761,16 +763,108 @@ The XML below is the current version for this CSP.
             </DFProperties>
           </Node>
         </Node>
+        <Node>
+          <NodeName>DomainName</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Returns the fully qualified domain name of the device(if any).</Description>
+            <DFFormat>
+              <chr />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFTitle>DomainName</DFTitle>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DeviceGuard</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>VirtualizationBasedSecurityHwReq</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>VirtualizationBasedSecurityStatus</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>LsaCfgCredGuardStatus</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
       </Node>
 </MgmtTree>
-```
-
- 
-
- 
-
-
-
-
-
-
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
new file mode 100644
index 0000000000..f7e605575a
--- /dev/null
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -0,0 +1,300 @@
+---
+title: Enable ADMX-backed policies in MDM
+description: Guide to configuring ADMX-backed policies in MDM
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/11/2017
+---
+
+# Enable ADMX-backed policies in MDM
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This is a step-by-step guide to configuring ADMX-backed policies in MDM.
+
+Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy. 
+
+Summary of steps to enable a policy:
+-	Find the policy from the list ADMX-backed policies. 
+-	Find the Group Policy related information from the MDM policy description.
+-	Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
+-	Create the data payload for the SyncML.
+
+## Enable a policy
+
+1.  Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description.  
+	- GP English name
+    - GP name
+    - GP ADMX file name
+    - GP path
+
+2.  Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
+
+    1. Click **Start**, then in the text box type **gpedit**. 
+
+    2. Under **Best match**, click **Edit group policy** to launch it.  
+       
+       ![GPEdit search](images/admx-gpedit-search.png)
+
+    3. In **Local Computer Policy** navigate to the policy you want to configure.  
+    
+       In this example, navigate to **Administrative Templates >  System > App-V**.
+
+       ![App-V policies](images/admx-appv.png)
+
+    4. Double-click **Enable App-V Client**.  
+
+       The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
+
+       ![Enable App-V client](images/admx-appv-enableapp-vclient.png)
+
+3.  Create the SyncML  to enable the policy that does not require any parameter.  
+
+    In this example you configure **Enable App-V Client** to **Enabled**.
+
+> [!Note]  
+> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
+     
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Replace>
+      <CmdID>2</CmdID>
+      <Item>
+        <Meta>
+          <Format>chr</Format>
+          <Type>text/plain</Type>
+        </Meta>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient </LocURI>
+        </Target>
+        <Data>&lt;Enabled/&gt;</Data>
+      </Item>
+    </Replace>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
+
+
+## Enable a policy that requires parameters  
+
+
+1. Create the SyncML  to enable the policy that requires parameters.
+
+    In this example, the policy is in **Administrative Templates >  System > App-V > Publishing**.
+
+    1.  Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy.
+
+        ![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png)
+
+        ![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png)
+
+    2.  Find the variable names of the parameters in the ADMX file.
+
+        You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
+
+          ![Publishing server 2 policy description](images/admx-appv-policy-description.png)
+
+    3.  Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx.
+
+    4.	Search for GP name **Publishing_Server2_policy**.
+
+
+    5.	Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The text id and enum id represents the data id you need to include in the SyncML data payload. They correspond to the fields you see in GP Editor.
+    
+        Here is the snippet from appv.admx:
+
+    ``` syntax
+    <!--  Publishing Server 2  -->
+    <policy name="Publishing_Server2_Policy" class="Machine" displayName="$(string.PublishingServer2)" 
+            explainText="$(string.Publishing_Server_Help)" presentation="$(presentation.Publishing_Server2)" 
+            key="SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2">
+      <parentCategory ref="CAT_Publishing" />
+      <supportedOn ref="windows:SUPPORTED_Windows7" />
+      <elements>
+        <text id="Publishing_Server2_Name_Prompt" valueName="Name" required="true"/>
+        <text id="Publishing_Server_URL_Prompt" valueName="URL" required="true"/>
+        <enum id="Global_Publishing_Refresh_Options" valueName="GlobalEnabled">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>  
+        <enum id="Global_Refresh_OnLogon_Options" valueName="GlobalLogonRefresh">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>      
+        <decimal id="Global_Refresh_Interval_Prompt" valueName="GlobalPeriodicRefreshInterval" minValue="0" maxValue="31"/>
+        <enum id="Global_Refresh_Unit_Options" valueName="GlobalPeriodicRefreshIntervalUnit">
+          <item displayName="$(string.Hour)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.Day)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>        
+        <enum id="User_Publishing_Refresh_Options" valueName="UserEnabled">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>
+        <enum id="User_Refresh_OnLogon_Options" valueName="UserLogonRefresh">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>      
+        <decimal id="User_Refresh_Interval_Prompt" valueName="UserPeriodicRefreshInterval" minValue="0" maxValue="31"/>
+        <enum id="User_Refresh_Unit_Options" valueName="UserPeriodicRefreshIntervalUnit">
+          <item displayName="$(string.Hour)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.Day)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>        
+      </elements>
+    </policy>
+    ```
+
+    6.  From the \<elements>  tag, copy all the text id and enum id and create an XML with data id and value fields. The value field contains the configuration settings you would enter in the GP Editor.
+
+        Here is the example XML for Publishing_Server2_Policy :
+        
+    ``` syntax
+    <data id="Publishing_Server2_Name_Prompt" value="Name"/>
+    <data id="Publishing_Server_URL_Prompt" value="http://someuri"/>
+    <data id="Global_Publishing_Refresh_Options" value="1"/>
+    <data id="Global_Refresh_OnLogon_Options" value="0"/>
+    <data id="Global_Refresh_Interval_Prompt" value="15"/>
+    <data id="Global_Refresh_Unit_Options" value="0"/>
+    <data id="User_Publishing_Refresh_Options" value="0"/>
+    <data id="User_Refresh_OnLogon_Options" value="0"/>
+    <data id="User_Refresh_Interval_Prompt" value="15"/>
+    <data id="User_Refresh_Unit_Options" value="1"/>
+    ```    
+
+    7.  Create the SyncML to enable the policy. Payload contains \<enabled/> and name/value pairs.  
+
+        Here is the example for **AppVirtualization/PublishingAllowServer2**:
+        
+> [!Note]  
+> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
+    
+    ``` syntax
+    <?xml version="1.0" encoding="utf-8"?>
+       <SyncML xmlns="SYNCML:SYNCML1.2">
+         <SyncBody>
+           <Replace>
+             <CmdID>2</CmdID>
+             <Item>
+               <Meta>
+                 <Format>chr</Format>
+                 <Type>text/plain</Type>
+               </Meta>
+               <Target>
+                <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
+               </Target>
+               <![CDATA[<enabled/><data id="Publishing_Server2_Name_Prompt" value="name prompt"/><data 
+                 id="Publishing_Server_URL_Prompt" value="URL prompt"/><data 
+                 id="Global_Publishing_Refresh_Options" value="1"/><data 
+                 id="Global_Refresh_OnLogon_Options" value="0"/><data 
+                 id="Global_Refresh_Interval_Prompt" value="15"/><data 
+                 id="Global_Refresh_Unit_Options" value="0"/><data 
+                 id="User_Publishing_Refresh_Options" value="0"/><data 
+                 id="User_Refresh_OnLogon_Options" value="0"/><data 
+                 id="User_Refresh_Interval_Prompt" value="15"/><data 
+                 id="User_Refresh_Unit_Options" value="1"/>]]>
+             </Item>
+           </Replace>
+           <Final/>
+         </SyncBody>
+       </SyncML>
+    ```
+
+
+## Disable a policy
+
+The \<Data> payload is \<disabled/>. Here is an example to disable AppVirtualization/PublishingAllowServer2.
+
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Replace>
+      <CmdID>2</CmdID>
+      <Item>
+        <Meta>
+          <Format>chr</Format>
+          <Type>text/plain</Type>
+        </Meta>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
+        </Target>
+        <Data>&lt;disabled/&gt;</Data>
+      </Item>
+    </Replace>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
+
+## Setting a policy to not configured
+
+The \<Data> payload is empty. Here an example to set AppVirtualization/PublishingAllowServer2 to "Not Configured."
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Delete>
+      <CmdID>1</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
+        </Target>
+      </Item>
+    </Delete>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
index 7d94f470b7..222f582e36 100644
--- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md
+++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/12/2017
 ---
 
 # EnterpriseAssignedAccess CSP
@@ -26,7 +26,7 @@ The following diagram shows the EnterpriseAssignedAccess configuration service p
 
 The following list shows the characteristics and parameters.
 
-<a href="" id="-vendor-msft-enterpriseassignedaccess-"></a>**.Vendor/MSFT/EnterpriseAssignedAccess/**  
+<a href="" id="-vendor-msft-enterpriseassignedaccess-"></a>**./Vendor/MSFT/EnterpriseAssignedAccess/**  
 The root node for the EnterpriseAssignedAccess configuration service provider. Supported operations are Add, Delete, Get and Replace.
 
 <a href="" id="assignedaccess-"></a>**AssignedAccess/**  
@@ -39,10 +39,10 @@ Supported operations are Add, Delete, Get and Replace.
 
 The Apps and Settings sections of lockdown XML constitute an Allow list. Any app or setting that is not specified in AssignedAccessXML will not be available on the device to users. The following table describes the entries in lockdown XML.
 
-> **Important**  
-When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as &lt; instead of &lt; because it is embedded in an XML. The examples provided in the topic are formatted for readability.
+> [!Important]    
+> When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \&lt; instead of &lt; because it is embedded in an XML. The examples provided in the topic are formatted for readability.
 
-When using the AssignedAccessXml in a provisioning package using the Windows Imaging and Configuration Designer (ICD) tool, do not use escaped characters.
+When using the AssignedAccessXml in a provisioning package using the Windows Configuration Designer tool, do not use escaped characters.
 
 Entry | Description
 ----------- | ------------
@@ -136,10 +136,7 @@ An application that belongs in the folder would add an optional attribute **Pare
 
 Entry | Description
 ----------- | ------------
-Settings | Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file.
-
-> [!Important]  
-> Do not specify a group entry without a page entry because it will cause an undefined behavior.
+Settings | Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file. For Windows 10, version 1703, see the instructions below for the new way to specify the settings pages.
 
 <ul>
 <li>System (main menu) - SettingsPageGroupPCSystem
@@ -245,12 +242,32 @@ Settings | Starting in Windows 10, version 1511, you can specify the following
 </ul></li>
 </ul>
 
+Entry | Description
+----------- | ------------
+Settings | Starting in Windows 10, version 1703, you can specify the settings pages using the settings URI.
+
+For example, in place of SettingPageDisplay, you would use ms-settings:display. See [ms-settings: URI scheme reference](https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each settings page.
+
+Here is an example for Windows 10, version 1703.
+
+``` syntax
+<Settings>
+  <System name="ms-settings:display"/>
+  <System name="ms-settings:appsforwebsites"/>
+  <System name="ms-settings:about"/>
+  <System name="ms-settings:camera"/>
+  <System name="ms-settings:nfctransactions"/>
+  <System name="ms-settings:mousetouchpad"/>
+  <System name="ms-settings:usb"/>
+</Settings>
+```
+
 **Quick action settings**  
 
 Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).
 
 > [!Note]  
-> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703.
+> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.
 
 <ul>
 <li><p>SystemSettings_System_Display_QuickAction_Brightness</p>
@@ -287,6 +304,25 @@ Starting in Windows 10, version 1511, you can specify the following quick acti
 <p>Dependencies - none</p></li>
 </ul>
 
+Starting in Windows 10, version 1703, Quick action settings no longer require any dependencis from related group or page. Here is the list:
+- QuickActions_Launcher_AllSettings
+- QuickActions_Launcher_DeviceDiscovery
+- SystemSettings_BatterySaver_LandingPage_OverrideControl
+- SystemSettings_Device_BluetoothQuickAction
+- SystemSettings_Flashlight_Toggle
+- SystemSettings_Launcher_QuickNote
+- SystemSettings_Network_VPN_QuickAction
+- SystemSettings_Privacy_LocationEnabledUserPhone
+- SystemSettings_QuickAction_AirplaneMode
+- SystemSettings_QuickAction_Camera
+- SystemSettings_QuickAction_CellularData
+- SystemSettings_QuickAction_InternetSharing
+- SystemSettings_QuickAction_QuietHours
+- SystemSettings_QuickAction_WiFi
+- SystemSettings_System_Display_Internal_Rotation
+- SystemSettings_System_Display_QuickAction_Brightness
+
+
 In this example, all settings pages and quick action settings are allowed. An empty \<Settings> node indicates that none of the settings are blocked.  
 
 ``` syntax
@@ -294,7 +330,7 @@ In this example, all settings pages and quick action settings are allowed. An em
 </Settings>
 ```
 
-In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.  
+In this example for Windows 10, version 1511, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.  
 
 ``` syntax
 <Settings> 
@@ -310,6 +346,19 @@ In this example, all System setting pages are enabled. Note that the System page
   <System name="SettingsPagePCSystemInfo" /> 
  </Settings>
 ```
+Here is an example for Windows 10, version 1703.
+
+``` syntax
+<Settings>
+  <System name="ms-settings:display"/>
+  <System name="ms-settings:appsforwebsites"/>
+  <System name="ms-settings:about"/>
+  <System name="ms-settings:camera"/>
+  <System name="ms-settings:nfctransactions"/>
+  <System name="ms-settings:mousetouchpad"/>
+  <System name="ms-settings:usb"/>
+</Settings>
+```
 
 Entry | Description
 ----------- | ------------
diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md
index 95722f7b40..c79f4f55e9 100644
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/09/2017
 ---
 
 # EnterpriseDataProtection CSP
@@ -44,8 +44,8 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.
 
 -   0 (default) – Off / No protection (decrypts previously protected data).
 -   1 – Silent mode (encrypt and audit only).
--   2 – Override mode (encrypt, prompt, and audit).
--   3 – Block mode (encrypt, block, and audit).
+-   2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
+-   3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
 
 <p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.
 
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
index f793b9b7af..89037bff06 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/11/2017
 ---
 
 # EnterpriseDesktopAppManagement CSP
@@ -48,6 +48,26 @@ Installation date of the application. Value type is string. Supported operation
 <a href="" id="msi-productid-downloadinstall"></a>**MSI/*ProductID*/DownloadInstall**  
 Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get.
 
+In Windows 10, version 1703 service release, a new tag \<DownloadFromAad\> was added to the \<Enforcement\> section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. 
+
+Here is an example:
+
+```syntax
+             <Enforcement>
+
+                <CommandLine>/quiet</CommandLine>
+
+                <TimeOut>5</TimeOut>
+
+                <RetryCount>3</RetryCount>
+
+                <RetryInterval>5</RetryInterval>
+
+                <DownloadFromAad>1</DownloadFromAad>
+
+              </Enforcement>
+```
+
 <a href="" id="msi-productid-status"></a>**MSI/*ProductID*/Status**  
 Status of the application. Value type is string. Supported operation is Get.
 
diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md
index a1520e20ad..ea69e071b5 100644
--- a/windows/client-management/mdm/federated-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md
@@ -129,7 +129,7 @@ The discovery response is in the XML format and includes the following fields:
 -   Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
 -   In Windows, Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
 
-> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
+> **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
 
  
 
@@ -297,7 +297,7 @@ After the user is authenticated, the web service retrieves the certificate templ
 
 MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. For Windows device, we will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
 
-> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
+> **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
 
  
 
@@ -482,7 +482,7 @@ The following example shows the enrollment web service request for federated aut
 
 After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
 
-> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
+> **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
 
  
 
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 71cc5e3867..ea9ebb3cb7 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/18/2017
 ---
 
 # Firewall CSP
@@ -33,35 +33,45 @@ The following diagram shows the Firewall configuration service provider in tree
 
 <a href="" id="global"></a>**MdmStore/Global**
 <p style="margin-left: 20px">Interior node.</p>
-<p style="margin-left: 20px">Supported operations are Get and Replace. </p>
+<p style="margin-left: 20px">Supported operations are Get. </p>
 
 <a href="" id="policyversionsupported"></a>**MdmStore/Global/PolicyVersionSupported**
-<p style="margin-left: 20px">DWORD value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</p>
+<p style="margin-left: 20px">Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</p>
 <p style="margin-left: 20px">Value type in integer. Supported operation is Get.</p>
 
 <a href="" id="currentprofiles"></a>**MdmStore/Global/CurrentProfiles**
-<p style="margin-left: 20px">DWORD value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE  for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</p>
+<p style="margin-left: 20px">Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</p>
 <p style="margin-left: 20px">Value type in integer. Supported operation is Get.</p>
 
 <a href="" id="disablestatefulftp"></a>**MdmStore/Global/DisableStatefulFtp**
-<p style="margin-left: 20px">This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.</p>
-<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace. </p>
+<p style="margin-left: 20px">Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.</p>
+<p style="margin-left: 20px">Default value is false.</p>
+<p style="margin-left: 20px">Data type is bool. Supported operations are Add, Get, Replace, and Delete. </p>
 
 <a href="" id="saidletime"></a>**MdmStore/Global/SaIdleTime**
-<p style="margin-left: 20px">This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.<</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
+<p style="margin-left: 20px">Default value is 300.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
 
-<a href="" id="presharedkeyencoding"></a>**MdmStore/Global/TPresharedKeyEncodingBD**
-<p style="margin-left: 20px">Specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<a href="" id="presharedkeyencoding"></a>**MdmStore/Global/PresharedKeyEncoding**
+<p style="margin-left: 20px">Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the [PRESHARED_KEY_ENCODING_VALUES enumeration](https://msdn.microsoft.com/en-us/library/cc231525.aspx). The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
+<p style="margin-left: 20px">Default value is 1.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="ipsecexempt"></a>**MdmStore/Global/IPsecExempt**
-<p style="margin-left: 20px">This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in [IPSEC_EXEMPT_VALUES](https://msdn.microsoft.com/en-us/library/cc231523.aspx); therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
+<p style="margin-left: 20px">Default value is 0.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="crlcheck"></a>**MdmStore/Global/CRLcheck**
-<p style="margin-left: 20px">This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:</p>
+<ul>
+<li>0 disables CRL checking</li>
+<li>1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.</li>
+<li>2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing</li>
+</ul>
+<p style="margin-left: 20px">Default value is 0.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="policyversion"></a>**MdmStore/Global/PolicyVersion**
 <p style="margin-left: 20px">This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.</p>
@@ -72,12 +82,20 @@ The following diagram shows the Firewall configuration service provider in tree
 <p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
 
 <a href="" id="opportunisticallymatchauthsetperkm"></a>**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM**
-<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
-<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
+<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="enablepacketqueue"></a>**MdmStore/Global/EnablePacketQueue**
-<p style="margin-left: 20px">This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:</p>
+
+<ul>
+<li>0x00 indicates that all queuing is to be disabled</li>
+<li>0x01 specifies that inbound encrypted packets are to be queued</li>
+<li>0x02 specifies that packets are to be queued after decryption is performed for forwarding</li>
+</ul>
+
+<p style="margin-left: 20px">Default value is 0.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="domainprofile"></a>**MdmStore/DomainProfile**
 <p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
@@ -89,58 +107,79 @@ The following diagram shows the Firewall configuration service provider in tree
 <p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
 
 <a href="" id="enablefirewall"></a>**/EnableFirewall**
-<p style="margin-left: 20px">This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Default value is true.</p>
+<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
 
 <a href="" id="disablestealthmode"></a>**/DisableStealthMode**
-<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Default value is false.</p>
+<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
 
 <a href="" id="shielded"></a>**/Shielded**
-<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.</p>
+<p style="margin-left: 20px">Default value is false.</p>
+<p style="margin-left: 20px">Value type is bool. Supported operations are Get and Replace.</p>
 
 <a href="" id="disableunicastresponsestomulticastbroadcast"></a>**/DisableUnicastResponsesToMulticastBroadcast**
-<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Default value is false.</p>
+<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
 
 <a href="" id="disableinboundnotifications"></a>**/DisableInboundNotifications**
-<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port.  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port.  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Default value is false.</p>
+<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
 
 <a href="" id="authappsallowuserprefmerge"></a>**/AuthAppsAllowUserPrefMerge**
-<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Default value is true.</p>
+<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
 
 <a href="" id="globalportsallowuserprefmerge"></a>**/GlobalPortsAllowUserPrefMerge**
-<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Default value is true.</p>
+<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
 
 <a href="" id="allowlocalpolicymerge"></a>**/AllowLocalPolicyMerge**
-<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</p>
+<p style="margin-left: 20px">Default value is true.</p>
+<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
 
 <a href="" id="allowlocalipsecpolicymerge"></a>**/AllowLocalIpsecPolicyMerge**
-<p style="margin-left: 20px">This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</p>
+<p style="margin-left: 20px">Default value is true.</p>
+<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
 
 <a href="" id="defaultoutboundaction"></a>**/DefaultOutboundAction**
-<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<ul>
+<li>0x00000000 - allow</li>
+<li>0x00000001 - block</li>
+</ul>
+<p style="margin-left: 20px">Default value is 0 (allow).</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get and Replace.</p>
 
 <a href="" id="defaultinboundaction"></a>**/DefaultInboundAction**
-<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</p>
+<ul>
+<li>0x00000000 - allow</li>
+<li>0x00000001 - block</li>
+</ul>
+<p style="margin-left: 20px">Default value is 1 (block).</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get and Replace.</p>
 
 <a href="" id="disablestealthmodeipsecsecuredpacketexemption"></a>**/DisableStealthModeIpsecSecuredPacketExemption**
-<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+<p style="margin-left: 20px">Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
+<p style="margin-left: 20px">Default value is true.</p>
+<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
 
 <a href="" id="firewallrules"></a>**FirewallRules**
 <p style="margin-left: 20px">A list of rules controlling traffic through the Windows Firewall.  Each Rule ID is OR'ed.  Within each rule ID each Filter type is AND'ed.</p>
 
 <a href="" id="firewallrulename"></a>**FirewallRules/_FirewallRuleName_**
 <p style="margin-left: 20px">Unique alpha numeric identifier for the rule.  The rule name must not include a forward slash (/).</p>
+<p style="margin-left: 20px">Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="app"></a>**FirewallRules/_FirewallRuleName_/App**
 <p style="margin-left: 20px">Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:</p>
@@ -150,6 +189,7 @@ The following diagram shows the Firewall configuration service provider in tree
 <li>FQBN</li>
 <li>ServiceName</li>
 </ul>
+<p style="margin-left: 20px">If not specified, the default is All.</p>
 <p style="margin-left: 20px">Supported operation is Get.</p>
 
 <a href="" id="packagefamilyname"></a>**FirewallRules/_FirewallRuleName_/App/PackageFamilyName**
@@ -170,14 +210,17 @@ The following diagram shows the Firewall configuration service provider in tree
 
 <a href="" id="protocol"></a>**FirewallRules/_FirewallRuleName_/Protocol**
 <p style="margin-left: 20px">0-255 number representing the ip protocol (TCP = 6, UDP = 17)</p>
+<p style="margin-left: 20px">If not specified, the default is All.</p>
 <p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="localportranges"></a>**FirewallRules/_FirewallRuleName_/LocalPortRanges**
 <p style="margin-left: 20px">Comma separated list of ranges. For example, 100-120,200,300-320.</p>
+<p style="margin-left: 20px">If not specified, the default is All.</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="remoteportranges"></a>**FirewallRules/_FirewallRuleName_/RemotePortRanges**
 <p style="margin-left: 20px">Comma separated list of ranges, For example, 100-120,200,300-320.</p>
+<p style="margin-left: 20px">If not specified, the default is All.</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="localaddressranges"></a>**FirewallRules/_FirewallRuleName_/LocalAddressRanges**
@@ -189,6 +232,7 @@ The following diagram shows the Firewall configuration service provider in tree
 <li>An IPv4 address range in the format of "start address - end address" with no spaces included.</li>
 <li>An IPv6 address range in the format of "start address - end address" with no spaces included.</li>
 </ul>
+<p style="margin-left: 20px">If not specified, the default is All.</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="remoteaddressranges"></a>**FirewallRules/_FirewallRuleName_/RemoteAddressRanges**
@@ -209,6 +253,7 @@ The following diagram shows the Firewall configuration service provider in tree
 <li>An IPv4 address range in the format of "start address - end address" with no spaces included.</li>
 <li>An IPv6 address range in the format of "start address - end address" with no spaces included.</li>
 </ul>
+<p style="margin-left: 20px">If not specified, the default is All.</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="description"></a>**FirewallRules/_FirewallRuleName_/Description**
@@ -217,13 +262,13 @@ The following diagram shows the Firewall configuration service provider in tree
 
 <a href="" id="enabled"></a>**FirewallRules/_FirewallRuleName_/Enabled**
 <p style="margin-left: 20px">Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
-If not specified - a new rule is disabled by default.</p>
-<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
+<p style="margin-left: 20px">If not specified - a new rule is disabled by default.</p>
+<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace.</p>
 
 <a href="" id="profiles"></a>**FirewallRules_FirewallRuleName_/Profiles**
-<p style="margin-left: 20px">Specifies the profiles to which the rule belongs: Domain, Private, Public. .  See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.</p>
-
-<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+<p style="margin-left: 20px">Specifies the profiles to which the rule belongs: Domain, Private, Public. .  See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types.</p>
+<p style="margin-left: 20px">If not specified, the default is All.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
 
 <a href="" id="action"></a>**FirewallRules/_FirewallRuleName_/Action**
 <p style="margin-left: 20px">Specifies the action for the rule.</p>
@@ -235,7 +280,8 @@ If not specified - a new rule is disabled by default.</p>
 <li>0 - Block</li>
 <li>1 - Allow</li>
 </ul>
-<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+<p style="margin-left: 20px">If not specified, the default is allow.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
 
 <a href="" id="direction"></a>**FirewallRules/_FirewallRuleName_/Direction**
 <p style="margin-left: 20px">Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:</p>
@@ -244,27 +290,24 @@ If not specified - a new rule is disabled by default.</p>
 <li>OUT - the rule applies to outbound traffic.</li>
 <li>If not specified, the default is IN.</li>
 </ul>
-<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Get and Replace.</p>
 
 <a href="" id="interfacetypes"></a>**FirewallRules/FirewallRuleName/InterfaceTypes**
 <p style="margin-left: 20px">Comma separated list of interface types. Valid values:</p>
 <ul>
 <li>RemoteAccess</li>
 <li>Wireless</li>
+<li>Lan</li>
 <li>MobileBroadband</li>
-<li>All</li>
 </ul>
-<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
-
-<a href="" id="icmptypesandcodes"></a>**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**
-<p style="margin-left: 20px">List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<</p>
-<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+<p style="margin-left: 20px">If not specified, the default is All.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Get and Replace.</p>
 
 <a href="" id="edgetraversal"></a>**FirewallRules/_FirewallRuleName_/EdgeTraversal**
 <p style="margin-left: 20px">Indicates whether edge traversal is enabled or disabled for this rule.</p>
 <p style="margin-left: 20px">The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.</p>
 <p style="margin-left: 20px">New rules have the EdgeTraversal property disabled by default.</p>
-<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
+<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="localuserauthorizedlist"></a>**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList**
 <p style="margin-left: 20px">Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.</p>
@@ -274,10 +317,6 @@ If not specified - a new rule is disabled by default.</p>
 <p style="margin-left: 20px">Provides information about the specific verrsion of the rule in deployment for monitoring purposes.</p>
 <p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
 
-<a href="" id="friendlyname"></a>**FirewallRules/_FirewallRuleName_/FriendlyName**
-<p style="margin-left: 20px">Specifies the friendly name of the rule. The string must not contain the "|" character.</p>
-<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
-
 <a href="" id="name"></a>**FirewallRules/_FirewallRuleName_/Name**
 <p style="margin-left: 20px">Name of the rule.</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 9456acd05e..7a8de5174f 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/18/2017
 ---
 
 # Firewall CSP
@@ -30,6 +30,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
           <AccessType>
             <Get />
           </AccessType>
+          <Description>Root node for the Firewall configuration service provider.</Description>
           <DFFormat>
             <node />
           </DFFormat>
@@ -67,7 +68,6 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
             <DFProperties>
               <AccessType>
                 <Get />
-                <Replace />
               </AccessType>
               <DFFormat>
                 <node />
@@ -88,7 +88,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                 </AccessType>
-                <Description>This value is a DWORD containing the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</Description>
+                <Description>Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -109,7 +109,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                 </AccessType>
-                <Description>This value is a DWORD and contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE  for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</Description>
+                <Description>Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -130,8 +130,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
+                  <Delete />
                 </AccessType>
-                <Description>This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.</Description>
+                <DefaultValue>FALSE</DefaultValue>
+                <Description>This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win.</Description>
                 <DFFormat>
                   <bool />
                 </DFFormat>
@@ -152,8 +155,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
+                  <Delete />
                 </AccessType>
-                <Description>This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
+                <DefaultValue>300</DefaultValue>
+                <Description>This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -174,8 +180,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
+                  <Delete />
                 </AccessType>
-                <Description>This configuration value specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>Specifies the preshared key encoding that is used. MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. Default is 1 [UTF-8].  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -196,8 +205,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
+                  <Delete />
                 </AccessType>
-                <Description>This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered.   The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -218,8 +230,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
+                  <Delete />
                 </AccessType>
-                <Description>This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
+                <Description>This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -282,8 +296,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
+                  <Delete />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they do not support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
+                <Description>This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
                 <DFFormat>
                   <bool />
                 </DFFormat>
@@ -304,8 +320,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
+                  <Delete />
                 </AccessType>
-                <Description>This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -346,10 +365,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -368,10 +389,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -391,9 +414,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                   <Get />
                   <Replace />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. </Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings.  The merge law for this option is to let "on" values win.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -412,10 +436,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -434,10 +460,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port.  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -456,10 +484,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -478,10 +508,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore.  The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -500,10 +532,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced.  The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -522,10 +556,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version.   The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -544,8 +580,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -566,8 +604,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -588,10 +628,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -630,10 +672,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -652,10 +696,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -675,9 +721,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                   <Get />
                   <Replace />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. </Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings.  The merge law for this option is to let "on" values win.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -696,10 +743,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -718,10 +767,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port.  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -740,10 +791,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -762,10 +815,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore.  The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -784,10 +839,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced.  The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -806,10 +863,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version.   The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -828,8 +887,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -850,8 +911,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -872,10 +935,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -914,10 +979,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -936,10 +1003,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -959,9 +1028,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                   <Get />
                   <Replace />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. </Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings.  The merge law for this option is to let "on" values win.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -980,10 +1050,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -1002,10 +1074,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port.  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -1024,10 +1098,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -1046,10 +1122,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore.  The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -1068,10 +1146,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced.  The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -1090,10 +1170,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version.   The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -1112,8 +1194,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>0</DefaultValue>
+                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -1134,8 +1218,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
                 <DFFormat>
                   <int />
                 </DFFormat>
@@ -1156,10 +1242,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                 <AccessType>
                   <Get />
                   <Replace />
+                  <Add />
                 </AccessType>
-                <Description>This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
+                <DefaultValue>1</DefaultValue>
+                <Description>This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec.  The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
                 <DFFormat>
-                  <int />
+                  <bool />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -1200,6 +1288,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
                   <Add />
                   <Delete />
                   <Get />
+                  <Replace />
                 </AccessType>
                 <Description>Unique alpha numeric identifier for the rule.  The rule name must not include a forward slash (/).</Description>
                 <DFFormat>
@@ -1349,7 +1438,7 @@ ServiceName</Description>
                     <Get />
                     <Replace />
                   </AccessType>
-                  <Description>0-255 number representing the ip protocol (TCP = 6, UDP = 17)</Description>
+                  <Description>0-255 number representing the ip protocol (TCP = 6, UDP = 17).  If not specified the default is All.</Description>
                   <DFFormat>
                     <int />
                   </DFFormat>
@@ -1373,7 +1462,7 @@ ServiceName</Description>
                     <Get />
                     <Replace />
                   </AccessType>
-                  <Description>Comma Separated list of ranges for eg. 100-120,200,300-320</Description>
+                  <Description>Comma Separated list of ranges for eg. 100-120,200,300-320.  If not specified the default is All.</Description>
                   <DFFormat>
                     <chr />
                   </DFFormat>
@@ -1397,7 +1486,7 @@ ServiceName</Description>
                     <Get />
                     <Replace />
                   </AccessType>
-                  <Description> Comma Separated list of ranges for eg. 100-120,200,300-320</Description>
+                  <Description> Comma Separated list of ranges for eg. 100-120,200,300-320.  If not specified the default is All.</Description>
                   <DFFormat>
                     <chr />
                   </DFFormat>
@@ -1428,7 +1517,7 @@ Valid tokens include:
 A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
 A valid IPv6 address.
 An IPv4 address range in the format of "start address - end address" with no spaces included.
-An IPv6 address range in the format of "start address - end address" with no spaces included.</Description>
+An IPv6 address range in the format of "start address - end address" with no spaces included.  If not specified the default is All.</Description>
                   <DFFormat>
                     <chr />
                   </DFFormat>
@@ -1466,7 +1555,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
 A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
 A valid IPv6 address.
 An IPv4 address range in the format of "start address - end address" with no spaces included.
-An IPv6 address range in the format of "start address - end address" with no spaces included.</Description>
+An IPv6 address range in the format of "start address - end address" with no spaces included.  If not specified the default is All.</Description>
                   <DFFormat>
                     <chr />
                   </DFFormat>
@@ -1509,8 +1598,6 @@ An IPv6 address range in the format of "start address - end address" with no spa
                 <NodeName>Enabled</NodeName>
                 <DFProperties>
                   <AccessType>
-                    <Add />
-                    <Delete />
                     <Get />
                     <Replace />
                   </AccessType>
@@ -1534,12 +1621,10 @@ If not specified - a new rule is disabled by default.</Description>
                 <NodeName>Profiles</NodeName>
                 <DFProperties>
                   <AccessType>
-                    <Add />
-                    <Delete />
                     <Get />
                     <Replace />
                   </AccessType>
-                  <Description>Specifies the profiles to which the rule belongs: Domain, Private, Public.  See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.</Description>
+                  <Description>Specifies the profiles to which the rule belongs: Domain, Private, Public.  See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.  If not specified, the default is All.</Description>
                   <DFFormat>
                     <int />
                   </DFFormat>
@@ -1560,13 +1645,7 @@ If not specified - a new rule is disabled by default.</Description>
                   <AccessType>
                     <Get />
                   </AccessType>
-                  <Description>Specifies the action for the rule.
-
-BLOCK - block the connection.
-ALLOW - allow the connection.
-
-
-If not specified the default action is BLOCK.</Description>
+                  <Description>Specifies the action for the rule.</Description>
                   <DFFormat>
                     <node />
                   </DFFormat>
@@ -1584,11 +1663,10 @@ If not specified the default action is BLOCK.</Description>
                   <NodeName>Type</NodeName>
                   <DFProperties>
                     <AccessType>
-                      <Add />
-                      <Delete />
                       <Get />
                       <Replace />
                     </AccessType>
+                    <DefaultValue>1</DefaultValue>
                     <Description>Specifies the action the rule enforces:
 0 - Block
 1 - Allow</Description>
@@ -1611,11 +1689,10 @@ If not specified the default action is BLOCK.</Description>
                 <NodeName>Direction</NodeName>
                 <DFProperties>
                   <AccessType>
-                    <Add />
-                    <Delete />
                     <Get />
                     <Replace />
                   </AccessType>
+                  <DefaultValue>IN</DefaultValue>
                   <Description>Comma separated list.  The rule is enabled based on the traffic direction as following.
 
 IN - the rule applies to inbound traffic.
@@ -1640,11 +1717,10 @@ If not specified the detault is IN.</Description>
                 <NodeName>InterfaceTypes</NodeName>
                 <DFProperties>
                   <AccessType>
-                    <Add />
-                    <Delete />
                     <Get />
                     <Replace />
                   </AccessType>
+                  <DefaultValue>All</DefaultValue>
                   <Description>String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MobileBroadband", and "All".
  If more than one interface type is specified, the strings must be separated by a comma.</Description>
                   <DFFormat>
@@ -1661,30 +1737,6 @@ If not specified the detault is IN.</Description>
                   </DFType>
                 </DFProperties>
               </Node>
-              <Node>
-                <NodeName>IcmpTypesAndCodes</NodeName>
-                <DFProperties>
-                  <AccessType>
-                    <Add />
-                    <Delete />
-                    <Get />
-                    <Replace />
-                  </AccessType>
-                  <Description>The icmpTypesAndCodes parameter is a list of ICMP types and codes separated by semicolon. "*" indicates all ICMP types and codes.</Description>
-                  <DFFormat>
-                    <chr />
-                  </DFFormat>
-                  <Occurrence>
-                    <ZeroOrOne />
-                  </Occurrence>
-                  <Scope>
-                    <Dynamic />
-                  </Scope>
-                  <DFType>
-                    <MIME>text/plain</MIME>
-                  </DFType>
-                </DFProperties>
-              </Node>
               <Node>
                 <NodeName>EdgeTraversal</NodeName>
                 <DFProperties>
@@ -1760,31 +1812,6 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
                   </DFType>
                 </DFProperties>
               </Node>
-              <Node>
-                <NodeName>FriendlyName</NodeName>
-                <DFProperties>
-                  <AccessType>
-                    <Add />
-                    <Delete />
-                    <Get />
-                    <Replace />
-                  </AccessType>
-                  <Description>Specifies the friendly name of the rule.
-The string must not contain the "|" character.</Description>
-                  <DFFormat>
-                    <chr />
-                  </DFFormat>
-                  <Occurrence>
-                    <One />
-                  </Occurrence>
-                  <Scope>
-                    <Dynamic />
-                  </Scope>
-                  <DFType>
-                    <MIME>text/plain</MIME>
-                  </DFType>
-                </DFProperties>
-              </Node>
               <Node>
                 <NodeName>Name</NodeName>
                 <DFProperties>
diff --git a/windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png b/windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png
new file mode 100644
index 0000000000..36d0561150
Binary files /dev/null and b/windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png differ
diff --git a/windows/client-management/mdm/images/admx-appv-enableapp-vclient.png b/windows/client-management/mdm/images/admx-appv-enableapp-vclient.png
new file mode 100644
index 0000000000..6f22d4701e
Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv-enableapp-vclient.png differ
diff --git a/windows/client-management/mdm/images/admx-appv-policy-description.png b/windows/client-management/mdm/images/admx-appv-policy-description.png
new file mode 100644
index 0000000000..46e99fcb28
Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv-policy-description.png differ
diff --git a/windows/client-management/mdm/images/admx-appv-publishing.png b/windows/client-management/mdm/images/admx-appv-publishing.png
new file mode 100644
index 0000000000..31d83e9329
Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv-publishing.png differ
diff --git a/windows/client-management/mdm/images/admx-appv-publishingserver2.png b/windows/client-management/mdm/images/admx-appv-publishingserver2.png
new file mode 100644
index 0000000000..01e516c407
Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv-publishingserver2.png differ
diff --git a/windows/client-management/mdm/images/admx-appv.png b/windows/client-management/mdm/images/admx-appv.png
new file mode 100644
index 0000000000..9b4c9d2f39
Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv.png differ
diff --git a/windows/client-management/mdm/images/admx-gpedit-search.png b/windows/client-management/mdm/images/admx-gpedit-search.png
new file mode 100644
index 0000000000..97ffa6ffd9
Binary files /dev/null and b/windows/client-management/mdm/images/admx-gpedit-search.png differ
diff --git a/windows/client-management/mdm/images/mdm-enrollment-disable-policy.png b/windows/client-management/mdm/images/mdm-enrollment-disable-policy.png
new file mode 100644
index 0000000000..0f9dc0d872
Binary files /dev/null and b/windows/client-management/mdm/images/mdm-enrollment-disable-policy.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png
index 14d49cdd89..df8aa48b95 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png and b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png b/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png
index e8364c9bd7..136c240862 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png and b/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-devicestatus.png b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png
index 55b12f6c7f..76c746d95f 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-devicestatus.png and b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-firewall.png b/windows/client-management/mdm/images/provisioning-csp-firewall.png
index f31e4c749d..4720e51cd7 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-firewall.png and b/windows/client-management/mdm/images/provisioning-csp-firewall.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-office.png b/windows/client-management/mdm/images/provisioning-csp-office.png
index caa243a136..c361494236 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-office.png and b/windows/client-management/mdm/images/provisioning-csp-office.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-surfacehub.png b/windows/client-management/mdm/images/provisioning-csp-surfacehub.png
index 8ef11aeb25..1e31e34b6e 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-surfacehub.png and b/windows/client-management/mdm/images/provisioning-csp-surfacehub.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png b/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png
index 6bf38313ac..a5b77e0b42 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png and b/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png differ
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 4a733d2da7..1dbb44551e 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/11/2017
 ---
 
 # Mobile device enrollment
@@ -59,26 +59,30 @@ The following topics describe the end-to-end enrollment process using various au
 > -   Any fixed URIs that are passed during enrollment
 > -   Specific formatting of any value unless otherwise noted, such as the format of the device ID.
 
+
+## Enrollment support for domain-joined devices
  
+Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
 
-## Prevent MDM enrollments
+## Disable MDM enrollments
 
 
-Starting in Windows 10, version 1607, to prevent MDM enrollments for domain-joined PCs, you can set the following Group Policy:
+Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
+
+![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png)
+
+Here is the corresponding registry key:
 
 Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM
 
 Value: DisableRegistration
 
-Using the GP editor, the path is Computer configuration &gt; Administrative Templates &gt; Windows Components &gt; MDM &gt; Disable MDM Enrollment.
-
 ## Enrollment scenarios not supported
 
-
 The following scenarios do not allow MDM enrollments:
 
 -   Built-in administrator accounts on Windows desktop cannot enroll into MDM.
--   Standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -&gt; **System** -&gt; **About**.
+-   Prior to Windows 10, version 1709, standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. Only admin users can enroll. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -&gt; **System** -&gt; **About**. Starting in Windows 10, version 1709, standard users can enroll in MDM.
 -   Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
 
 ## Enrollment migration
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 6ae7b4c759..8d2e232161 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,11 +10,12 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/28/2017
+ms.date: 08/31/2017
 ---
 
 # What's new in MDM enrollment and management
 
+
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
@@ -27,6 +28,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 -   [What's new in Windows 10, version 1511](#whatsnew)
 -   [What's new in Windows 10, version 1607](#whatsnew1607)
 -   [What's new in Windows 10, version 1703](#whatsnew10)
+-   [What's new in Windows 10, version 1709](#whatsnew1709)
 -   [Breaking changes and known issues](#breaking-changes-and-known-issues)
     -   [Get command inside an atomic command is not supported](#getcommand)
     -   [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification)
@@ -50,7 +52,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 
 ## <a href="" id="whatsnew"></a>What's new in Windows 10, version 1511
 
-<table>
+<table class="mx-tdBreakAll">
 <colgroup>
 <col width="25%" />
 <col width="75%" />
@@ -182,7 +184,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 
 ## <a href="" id="whatsnew1607"></a>What's new in Windows 10, version 1607
 
-<table>
+<table class="mx-tdBreakAll">
 <colgroup>
 <col width="25%" />
 <col width="75%" />
@@ -493,7 +495,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 
 ## <a href="" id="whatsnew10"></a>What's new in Windows 10, version 1703
 
-<table>
+<table class="mx-tdBreakAll">
 <colgroup>
 <col width="25%" />
 <col width="75%" />
@@ -676,12 +678,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Update/ActiveHoursMaxRange</li>
 <li>Update/AutoRestartDeadlinePeriodInDays</li>
 <li>Update/AutoRestartNotificationSchedule</li>
-<li>Update/AutoRestartNotificationStyle</li>
 <li>Update/AutoRestartRequiredNotificationDismissal</li>
 <li>Update/DetectionFrequency</li>
 <li>Update/EngagedRestartDeadline</li>
 <li>Update/EngagedRestartSnoozeSchedule</li>
-<li>Update/EngagedRestartTransistionSchedule</li>
+<li>Update/EngagedRestartTransitionSchedule</li>
 <li>Update/IgnoreMOAppDownloadLimit</li>
 <li>Update/IgnoreMOUpdateDownloadLimit</li>
 <li>Update/PauseFeatureUpdatesStartTime</li>
@@ -913,6 +914,161 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 </tbody>
 </table> 
 
+## <a href="" id="whatsnew1709"></a>What's new in Windows 10, version 1709
+
+<table class="mx-tdBreakAll">
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Item</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="even">
+<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
+<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1709.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)</td>
+<td style="vertical-align:top">New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md).</td>
+</tr>
+<tr class="even">
+<td style="vertical-align:top">[CM_ProxyEntries CSP](cm-proxyentries-csp.md) and [CMPolicy CSP](cmpolicy-csp.md)</td>
+<td style="vertical-align:top">In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated.</td>
+</tr>
+<tr class="odd">
+<td style="vertical-align:top">[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)</td>
+<td style="vertical-align:top">New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md).</td>
+</tr>
+<tr class="even">
+<td style="vertical-align:top">[VPNv2 CSP](vpnv2-csp.md)</td>
+<td style="vertical-align:top"><p>Added DeviceTunnel profile in Windows 10, version 1709.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[DeviceStatus CSP](devicestatus-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
+<ul>
+<li>DeviceStatus/DomainName</li>
+<li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq</li>
+<li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus</li>
+<li>DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus</li>
+</ul>
+</td></tr>
+<tr class="even">
+<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following setting in Windows 10, version 1709.</p>
+<ul>
+<li>Configuration</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[DeviceManageability CSP](devicemanageability-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
+<ul>
+<li>Provider/_ProviderID_/ConfigInfo</li>
+<li> Provider/_ProviderID_/EnrollmentInfo</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following setting in Windows 10, version 1709:</p>
+<ul>
+<li>Installation/CurrentStatus</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Bitlocker CSP](bitlocker-csp.md)</td>
+<td style="vertical-align:top"><p>Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[ADMX-backed policies in Policy CSP](policy-configuration-service-provider.md#admx-backed-policies)</td>
+<td style="vertical-align:top"><p>Added new policies.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p> 
+<ul>
+<li>Browser/LockdownFavorites</li>
+<li>Browser/ProvisionFavorites</li>
+<li>CredentialProviders/DisableAutomaticReDeploymentCredentials</li>
+<li>DeviceGuard/EnableVirtualizationBasedSecurity</li>
+<li>DeviceGuard/RequirePlatformSecurityFeatures</li>
+<li>DeviceGuard/LsaCfgFlags</li>
+<li>ExploitGuard/ExploitProtectionSettings</li>
+<li>Games/AllowAdvancedGamingServices</li>
+<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
+<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
+<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
+<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
+<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li> 
+<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li> 
+<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li> 
+<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li> 
+<li>Power/DisplayOffTimeoutOnBattery</li>
+<li>Power/DisplayOffTimeoutPluggedIn</li>
+<li>Power/HibernateTimeoutOnBattery</li>
+<li>Power/HibernateTimeoutPluggedIn</li>
+<li>Power/StandbyTimeoutOnBattery</li>
+<li>Power/StandbyTimeoutPluggedIn</li>
+<li>Privacy/EnableActivityFeed</li>
+<li>Privacy/PublishUserActivities</li>
+<li>Defender/AttackSurfaceReductionOnlyExclusions</li>
+<li>Defender/AttackSurfaceReductionRules</li>
+<li>Defender/CloudBlockLevel </li>
+<li>Defender/CloudExtendedTimeout</li>
+<li>Defender/ControlledFolderAccessAllowedApplications</li>
+<li>Defender/ControlledFolderAccessProtectedFolders</li>
+<li>Defender/EnableControlledFolderAccess</li>
+<li>Defender/EnableNetworkProtection</li>
+<li>Education/DefaultPrinterName</li>
+<li>Education/PreventAddingNewPrinters</li>
+<li>Education/PrinterNames</li>
+<li>Security/ClearTPMIfNotReady</li>
+<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</li>
+<li>Update/DisableDualScan</li>
+<li>Update/ScheduledInstallEveryWeek</li>
+<li>Update/ScheduledInstallFirstWeek</li>
+<li>Update/ScheduledInstallFourthWeek</li>
+<li>Update/ScheduledInstallSecondWeek</li>
+<li>Update/ScheduledInstallThirdWeek</li>
+<li>WindowsDefenderSecurityCenter/CompanyName</li>
+<li>WindowsDefenderSecurityCenter/DisableAppBrowserUI</li>
+<li>WindowsDefenderSecurityCenter/DisableEnhancedNotifications</li>
+<li>WindowsDefenderSecurityCenter/DisableFamilyUI</li>
+<li>WindowsDefenderSecurityCenter/DisableHealthUI</li>
+<li>WindowsDefenderSecurityCenter/DisableNetworkUI</li>
+<li>WindowsDefenderSecurityCenter/DisableNotifications</li>
+<li>WindowsDefenderSecurityCenter/DisableVirusUI</li>
+<li>WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride</li>
+<li>WindowsDefenderSecurityCenter/Email</li>
+<li>WindowsDefenderSecurityCenter/EnableCustomizedToasts</li>
+<li>WindowsDefenderSecurityCenter/EnableInAppCustomization</li>
+<li>WindowsDefenderSecurityCenter/Phone</li>
+<li>WindowsDefenderSecurityCenter/URL</li>
+</ul>
+</td></tr>
+</tbody>
+</table>
 
 ## Breaking changes and known issues
 
@@ -1179,6 +1335,232 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ## Change history in MDM documentation
 
+### August 2017
+
+<table class="mx-tdBreakAll">
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>New or updated topic</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top">[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)</td>
+<td style="vertical-align:top"><p>Added new step-by-step guide to enable ADMX-backed policies.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Mobile device enrollment](mobile-device-enrollment.md)</td>
+<td style="vertical-align:top"><p>Added the following statement:</p>
+<ul>
+<li>Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in <strong>Settings</strong>. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[CM\_CellularEntries CSP](cm-cellularentries-csp.md)</td>
+<td style="vertical-align:top"><p>Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)</td>
+<td style="vertical-align:top"><p>Updated the Settings/EDPEnforcementLevel values to the following:</p>
+<ul>
+<li> 0 (default) – Off / No protection (decrypts previously protected data).</li>
+<li>  1 – Silent mode (encrypt and audit only).</li>
+<li>  2 – Allow override mode (encrypt, prompt and allow overrides, and audit).</li>
+<li>  3 – Hides overrides (encrypt, prompt but hide overrides, and audit).</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[AppLocker CSP](applocker-csp.md)</td>
+<td style="vertical-align:top"><p>Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Whitelist examples](applocker-csp.md#whitelist-examples).</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[DeviceManageability CSP](devicemanageability-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
+<ul>
+<li>Provider/_ProviderID_/ConfigInfo</li>
+<li> Provider/_ProviderID_/EnrollmentInfo</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following setting in Windows 10, version 1709:</p>
+<ul>
+<li>Installation/CurrentStatus</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
+<td style="vertical-align:top">Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
+<td style="vertical-align:top">Updated the CSP and DDF topics. Here are the changes:
+<ul>
+<li>Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.</li>
+<li>Changed some data types from integer to bool.</li>
+<li>Updated the list of supported operations for some settings.</li>
+<li>Added default values.</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Policy DDF file](policy-ddf-file.md)</td>
+<td style="vertical-align:top">Added another Policy DDF file [download](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
+<ul>
+<li>Browser/AllowMicrosoftCompatibilityList</li>
+<li>Update/DisableDualScan</li>
+<li>Update/FillEmptyContentUrls</li>
+</ul>
+</td></tr>
+<tr class="even">
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
+<ul>
+<li>Browser/ProvisionFavorites</li>
+<li>Browser/LockdownFavorites</li>
+<li>ExploitGuard/ExploitProtectionSettings</li>
+<li>Games/AllowAdvancedGamingServices</li>
+<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
+<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
+<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
+<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
+<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li> 
+<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li> 
+<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li> 
+<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
+<li>Privacy/EnableActivityFeed</li>
+<li>Privacy/PublishUserActivities</li>
+<li>Update/DisableDualScan</li>
+<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</li>
+</ul>
+<p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.</p>
+<p>Changed the names of the following policies:</p>
+<ul>
+<li>Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications</li>
+<li>Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders</li>
+<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess</li>
+</ul>
+<p>Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).</p>
+<p>There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:</p>
+<ul>
+<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts</li>
+<li>Start/HideAppList</li>
+</ul>
+</td></tr>
+</tbody>
+</table>
+
+### July 2017
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>New or updated topic</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top">[VPNv2 CSP](vpnv2-csp.md)</td>
+<td style="vertical-align:top"><p>Added DeviceTunnel profile in Windows 10, version 1709.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
+<td style="vertical-align:top">Added the following statements:.
+<ul>
+<li>When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.</li>
+<li>When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.</li>
+</ul>
+</td></tr>
+<tr class="even">
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top">
+<p>Added the following new policies for Windows 10, version 1709:</p>
+<ul>
+<li>Education/DefaultPrinterName</li>
+<li>Education/PreventAddingNewPrinters</li>
+<li>Education/PrinterNames</li> 
+<li>Security/ClearTPMIfNotReady</li>
+<li>WindowsDefenderSecurityCenter/CompanyName</li>
+<li>WindowsDefenderSecurityCenter/DisableAppBrowserUI</li>
+<li>WindowsDefenderSecurityCenter/DisableEnhancedNotifications</li>
+<li>WindowsDefenderSecurityCenter/DisableFamilyUI</li>
+<li>WindowsDefenderSecurityCenter/DisableHealthUI</li>
+<li>WindowsDefenderSecurityCenter/DisableNetworkUI</li>
+<li>WindowsDefenderSecurityCenter/DisableNotifications</li>
+<li>WindowsDefenderSecurityCenter/DisableVirusUI</li>
+<li>WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride</li>
+<li>WindowsDefenderSecurityCenter/Email</li>
+<li>WindowsDefenderSecurityCenter/EnableCustomizedToasts</li>
+<li>WindowsDefenderSecurityCenter/EnableInAppCustomization</li>
+<li>WindowsDefenderSecurityCenter/Phone</li>
+<li>WindowsDefenderSecurityCenter/URL</li>
+</ul>
+<p>Experience/AllowFindMyDevice - updated the description to include active digitizers.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)</td>
+<td style="vertical-align:top">Added the following statement to [MSI/ProductID/DownloadInstall](enterprisedesktopappmanagement-csp.md#msi-productid-downloadinstall):
+<ul>
+<li>In Windows 10, version 1703 service release, a new tag "DownloadFromAad" was added to the "Enforcement" section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.</li>
+</ul>
+</td></tr>
+<tr class="even">
+<td style="vertical-align:top">[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)</td>
+<td style="vertical-align:top">Added the following information about the settings pages in AssigneAccessXML:
+<ul>
+<li>Starting in Windows 10, version 1703, you can specify the settings pages using the settings URI. For example, in place of SettingPageDisplay, you would use ms-settings:display. See [ms-settings: URI scheme reference](https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each settings page.</li>
+<li>In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[DeviceStatus CSP](devicestatus-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
+<ul>
+<li>DeviceStatus/DomainName</li>
+<li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq</li>
+<li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus</li>
+<li>DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus</li>
+<ul>
+</td></tr>
+<tr class="even">
+<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
+<td style="vertical-align:top"><p>Here are the changes in Windows 10, version 1709.</p>
+<ul>
+<li>Added Configuration node</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[SurfaceHub CSP](surfacehub-csp.md)</td>
+<td style="vertical-align:top"><p>Changed PasswordRotationPeriod to PasswordRotationEnabled.</p>
+</td></tr>
+</tbody>
+</table>
+
 ### June 2017
 
 <table>
@@ -1689,11 +2071,10 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
 <li>TimeLanguageSettings/AllowSet24HourClock</li>
 <li>Update/ActiveHoursMaxRange</li>
 <li>Update/AutoRestartNotificationSchedule</li>
-<li>Update/AutoRestartNotificationStyle</li>
 <li>Update/AutoRestartRequiredNotificationDismissal</li>
 <li>Update/EngagedRestartDeadline</li>
 <li>Update/EngagedRestartSnoozeSchedule</li>
-<li>Update/EngagedRestartTransistionSchedule</li>
+<li>Update/EngagedRestartTransitionSchedule</li>
 <li>Update/SetAutoRestartNotificationDisable</li>
 <li>WindowsLogon/HideFastUserSwitching</li>
 </ul>
@@ -2424,10 +2805,16 @@ No. Only one MDM is allowed.
 5.  Set quota to unlimited.
 
     ![aad maximum joined devices](images/faq-max-devices.png)
-
  
 
- 
+<a href="" id="dwmapppushsvc "></a>**What is dmwappushsvc?**  
+
+Entry | Description   
+--------------- | --------------------  
+What is dmwappushsvc? | It is a Windows service that ships in Windows 10 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
+What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. |
+How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and  required for the proper functioning of the device, we strongly recommend not to do this. |
+
 
 
 
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index 8b62bdd0c7..96b82f9aa7 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -6,11 +6,14 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/22/2017
 ---
 
 # Office CSP
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx). 
 This CSP was added in Windows 10, version 1703.
 
@@ -38,7 +41,7 @@ The following diagram shows the Office configuration service provider in tree fo
 
 <a href="" id="install"></a>**Install**  
 
-<p style="margin-left: 20px">Installs office by using the XML data specified in the configuration.xml file. 
+<p style="margin-left: 20px">Installs Office by using the XML data specified in the configuration.xml file. 
 
 <p style="margin-left: 20px">The supported operations are Get and Execute.
 
@@ -48,13 +51,18 @@ The following diagram shows the Office configuration service provider in tree fo
 
 <p style="margin-left: 20px">The only supported operation is Get.
 
+<a href="" id="currentstatus"></a>**CurrentStatus** 
+
+<p style="margin-left: 20px">Returns an XML of current Office 365 installation status on the device.
+
+<p style="margin-left: 20px">The only supported operation is Get.
 
 ## Examples
 
 Sample SyncML to install Office 365 Business Retail from current channel.
 
 ```syntax
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Exec>
       <CmdID>7</CmdID>
@@ -76,7 +84,7 @@ Sample SyncML to install Office 365 Business Retail from current channel.
 To uninstall the Office 365 from the system:
 
 ```syntax
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Exec>
       <CmdID>7</CmdID>
@@ -95,6 +103,24 @@ To uninstall the Office 365 from the system:
 </SyncML>
 ```
 
+To get the current status of Office 365 on the device.
+
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Get>
+      <CmdID>7</CmdID>
+        <Item>
+          <Target>
+            <LocURI>./Vendor/MSFT/Office/Installation/CurrentStatus</LocURI>
+          </Target>
+        </Item>
+    </Get>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
+
 ## Status code
 
 <table>
diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md
index 0fd89434b4..ebd7f2b843 100644
--- a/windows/client-management/mdm/office-ddf.md
+++ b/windows/client-management/mdm/office-ddf.md
@@ -7,11 +7,14 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/22/2017
 ---
 
 # Office DDF
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 
 You can download the DDF files from the links below:
@@ -19,7 +22,7 @@ You can download the DDF files from the links below:
 - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
 
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@@ -30,12 +33,12 @@ The XML below is the current version for this CSP.
   <VerDTD>1.2</VerDTD>
       <Node>
         <NodeName>Office</NodeName>
-        <Path>./Vendor/MSFT</Path>
+        <Path>./User/Vendor/MSFT</Path>
         <DFProperties>
           <AccessType>
             <Get />
           </AccessType>
-          <Description>Root of the office CSP.</Description>
+          <Description>Root of the Office CSP.</Description>
           <DFFormat>
             <node />
           </DFFormat>
@@ -46,7 +49,7 @@ The XML below is the current version for this CSP.
             <Permanent />
           </Scope>
           <DFType>
-            <MIME>com.microsoft/1.0/MDM/Office</MIME>
+            <MIME>com.microsoft/1.3/MDM/Office</MIME>
           </DFType>
         </DFProperties>
         <Node>
@@ -55,7 +58,7 @@ The XML below is the current version for this CSP.
             <AccessType>
               <Get />
             </AccessType>
-            <Description>Installation options for the office CSP.</Description>
+            <Description>Installation options for the Office CSP.</Description>
             <DFFormat>
               <node />
             </DFFormat>
@@ -100,7 +103,7 @@ The XML below is the current version for this CSP.
                   <Exec />
                   <Get />
                 </AccessType>
-                <Description>The install action will install office given the configuration in the data.  The string data is the xml configuration to use in order to install office.</Description>
+                <Description>The install action will install Office given the configuration in the data.  The string data is the xml configuration to use in order to install Office.</Description>
                 <DFFormat>
                   <chr />
                 </DFFormat>
@@ -137,6 +140,27 @@ The XML below is the current version for this CSP.
               </DFProperties>
             </Node>
           </Node>
+          <Node>
+            <NodeName>CurrentStatus</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <Description>The current Office 365 installation status on the machine</Description>
+              <DFFormat>
+                <xml />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
         </Node>
       </Node>
       <Node>
@@ -156,7 +180,7 @@ The XML below is the current version for this CSP.
             <Permanent />
           </Scope>
           <DFType>
-            <DDFName></DDFName>
+            <MIME>com.microsoft/1.3/MDM/Office</MIME>
           </DFType>
         </DFProperties>
         <Node>
@@ -243,6 +267,27 @@ The XML below is the current version for this CSP.
               </DFProperties>
             </Node>
           </Node>
+          <Node>
+            <NodeName>CurrentStatus</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <Description>The current Office 365 installation status on the machine</Description>
+              <DFFormat>
+                <xml />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
         </Node>
       </Node>
 </MgmtTree>
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index baf0b42bec..a36b8b8b5f 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/28/2017
+ms.date: 08/25/2017
 ---
 
 # Policy CSP
@@ -77,7 +77,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 
 <a href="" id="policy-configoperations-admxinstall"></a>**Policy/ConfigOperations/ADMXInstall**  
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Centennial apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Centennial apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Centennial app policies, see [Win32 and Centennial app policy configuration](win32-and-centennial-app-policy-configuration.md).
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
 
 > [!NOTE]
 > The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/en-us/library/cc179097.aspx).
@@ -87,12 +87,12 @@ The following diagram shows the Policy configuration service provider in tree fo
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 
 <a href="" id="policy-configoperations-admxinstall-appname"></a>**Policy/ConfigOperations/ADMXInstall/****_AppName_**  
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the name of the Win32 or Centennial app associated with the ADMX file. 
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. 
 
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 
 <a href="" id="policy-configoperations-admxinstall-appname-policy"></a>**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy**  
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies that a Win32 or Centennial app policy is to be imported.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
 
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 
@@ -102,7 +102,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 <p style="margin-left: 20px">Supported operations are Add and Get. Does not support Delete.
 
 <a href="" id="policy-configoperations-admxinstall-appname-preference"></a>**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference**  
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies that a Win32 or Centennial app preference is to be imported.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
 
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 
@@ -256,7 +256,7 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5" id="appvirtualization-publishingallowserver5">AppVirtualization/PublishingAllowServer5</a>
   </dd>
   <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient_ssl" id="appvirtualization-streamingallowcertificatefilterforclient_ssl">AppVirtualization/StreamingAllowCertificateFilterForClient_SSL</a>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl" id="appvirtualization-streamingallowcertificatefilterforclient-ssl">AppVirtualization/StreamingAllowCertificateFilterForClient_SSL</a>
   </dd>
   <dd>
     <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch" id="appvirtualization-streamingallowhighcostlaunch">AppVirtualization/StreamingAllowHighCostLaunch</a>
@@ -338,6 +338,30 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-bitlocker.md#bitlocker-encryptionmethod" id="bitlocker-encryptionmethod">Bitlocker/EncryptionMethod</a>
   </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#encryptionmethodbydrivetype" id="encryptionmethodbydrivetype">BitLocker/EncryptionMethodByDriveType</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#fixeddrivesrecoveryoptions" id="fixeddrivesrecoveryoptions">BitLocker/FixedDrivesRecoveryOptions</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#fixeddrivesrequireencryption" id="fixeddrivesrequireencryption">BitLocker/FixedDrivesRequireEncryption</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#removabledrivesrequireencryption" id="removabledrivesrequireencryption">BitLocker/RemovableDrivesRequireEncryption</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesminimumpinlength" id="systemdrivesminimumpinlength">BitLocker/SystemDrivesMinimumPINLength</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesrecoverymessage" id="systemdrivesrecoverymessage">BitLocker/SystemDrivesRecoveryMessage</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesrecoveryoptions" id="systemdrivesrecoveryoptions">BitLocker/SystemDrivesRecoveryOptions</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesrequirestartupauthentication" id="systemdrivesrequirestartupauthentication">BitLocker/SystemDrivesRequireStartupAuthentication</a> in BitLocker CSP
+  </dd>
 </dl>
 
 ### Bluetooth policies
@@ -432,6 +456,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-browser.md#browser-homepages" id="browser-homepages">Browser/HomePages</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-lockdownfavorites" id="browser-lockdownfavorites">Browser/LockdownFavorites</a>
+  </dd>
   <dd>
     <a href="./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge" id="browser-preventaccesstoaboutflagsinmicrosoftedge">Browser/PreventAccessToAboutFlagsInMicrosoftEdge</a>
   </dd>
@@ -450,6 +477,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc" id="browser-preventusinglocalhostipaddressforwebrtc">Browser/PreventUsingLocalHostIPAddressForWebRTC</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-provisionfavorites" id="browser-provisionfavorites">Browser/ProvisionFavorites</a>
+  </dd>
   <dd>
     <a href="./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer" id="browser-sendintranettraffictointernetexplorer">Browser/SendIntranetTraffictoInternetExplorer</a>
   </dd>
@@ -476,7 +506,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 
 <dl>
   <dd>
-    <a href="./policy-csp-cellular.md#None" id="None">Cellular/ShowAppCellularAccessUI</a>
+    <a href="./policy-csp-cellular.md#cellular-showappcellularaccessui" id="cellular-showappcellularaccessui">Cellular/ShowAppCellularAccessUI</a>
   </dd>
 </dl>
 
@@ -508,19 +538,19 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-connectivity.md#connectivity-allowvpnroamingovercellular" id="connectivity-allowvpnroamingovercellular">Connectivity/AllowVPNRoamingOverCellular</a>
   </dd>
   <dd>
-    <a href="./policy-csp-connectivity.md#None" id="None">Connectivity/DiablePrintingOverHTTP</a>
+    <a href="./policy-csp-connectivity.md#connectivity-diableprintingoverhttp" id="connectivity-diableprintingoverhttp">Connectivity/DiablePrintingOverHTTP</a>
   </dd>
   <dd>
-    <a href="./policy-csp-connectivity.md#None" id="None">Connectivity/DisableDownloadingOfPrintDriversOverHTTP</a>
+    <a href="./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp" id="connectivity-disabledownloadingofprintdriversoverhttp">Connectivity/DisableDownloadingOfPrintDriversOverHTTP</a>
   </dd>
   <dd>
-    <a href="./policy-csp-connectivity.md#None" id="None">Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards</a>
+    <a href="./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards" id="connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards">Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards</a>
   </dd>
   <dd>
     <a href="./policy-csp-connectivity.md#connectivity-hardeneduncpaths" id="connectivity-hardeneduncpaths">Connectivity/HardenedUNCPaths</a>
   </dd>
   <dd>
-    <a href="./policy-csp-connectivity.md#None" id="None">Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge</a>
+    <a href="./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge" id="connectivity-prohibitinstallationandconfigurationofnetworkbridge">Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge</a>
   </dd>
 </dl>
 
@@ -534,7 +564,7 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword" id="credentialproviders-blockpicturepassword">CredentialProviders/BlockPicturePassword</a>
   </dd>
   <dd>
-    <a href="./policy-csp-credentialproviders.md#credentialproviders-enablewindowsautopilotresetcredentials" id="credentialproviders-enablewindowsautopilotresetcredentials">CredentialProviders/EnableWindowsAutoPilotResetCredentials</a>
+    <a href="./policy-csp-credentialproviders.md#credentialproviders-disableautomaticredeploymentcredentials" id="credentialproviders-disableautomaticredeploymentcredentials">CredentialProviders/DisableAutomaticReDeploymentCredentials</a>
   </dd>
 </dl>
 
@@ -643,7 +673,7 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-defender.md#defender-daystoretaincleanedmalware" id="defender-daystoretaincleanedmalware">Defender/DaysToRetainCleanedMalware</a>
   </dd>
   <dd>
-    <a href="./policy-csp-defender.md#defender-enableguardmyfolders" id="defender-enableguardmyfolders">Defender/EnableGuardMyFolders</a>
+    <a href="./policy-csp-defender.md#defender-enablecontrolledfolderaccess" id="defender-enablecontrolledfolderaccess">Defender/EnableControlledFolderAccess</a>
   </dd>
   <dd>
     <a href="./policy-csp-defender.md#defender-enablenetworkprotection" id="defender-enablenetworkprotection">Defender/EnableNetworkProtection</a>
@@ -658,10 +688,10 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-defender.md#defender-excludedprocesses" id="defender-excludedprocesses">Defender/ExcludedProcesses</a>
   </dd>
   <dd>
-    <a href="./policy-csp-defender.md#defender-guardedfoldersallowedapplications" id="defender-guardedfoldersallowedapplications">Defender/GuardedFoldersAllowedApplications</a>
+    <a href="./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications" id="defender-controlledfolderaccessallowedapplications">Defender/ControlledFolderAccessAllowedApplications</a>
   </dd>
   <dd>
-    <a href="./policy-csp-defender.md#defender-guardedfolderslist" id="defender-guardedfolderslist">Defender/GuardedFoldersList</a>
+    <a href="./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders" id="defender-controlledfolderaccessprotectedfolders">Defender/ControlledFolderAccessProtectedFolders</a>
   </dd>
   <dd>
     <a href="./policy-csp-defender.md#defender-puaprotection" id="defender-puaprotection">Defender/PUAProtection</a>
@@ -842,6 +872,20 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### Education policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-education.md#education-defaultprintername" id="education-defaultprintername">Education/DefaultPrinterName</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-education.md#education-preventaddingnewprinters" id="education-preventaddingnewprinters">Education/PreventAddingNewPrinters</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-education.md#education-printernames" id="education-printernames">Education/PrinterNames</a>
+  </dd>
+</dl>
+
 ### EnterpriseCloudPrint policies
 
 <dl>
@@ -914,6 +958,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-experience.md#experience-allowdevicediscovery" id="experience-allowdevicediscovery">Experience/AllowDeviceDiscovery</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowfindmydevice" id="experience-allowfindmydevice">Experience/AllowFindMyDevice</a>
+  </dd>
   <dd>
     <a href="./policy-csp-experience.md#experience-allowmanualmdmunenrollment" id="experience-allowmanualmdmunenrollment">Experience/AllowManualMDMUnenrollment</a>
   </dd>
@@ -961,6 +1008,14 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ExploitGuard policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings" id="exploitguard-exploitprotectionsettings">ExploitGuard/ExploitProtectionSettings</a>
+  </dd>
+</dl>
+
 ### Games policies
 
 <dl>
@@ -982,13 +1037,13 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist" id="internetexplorer-allowaddonlist">InternetExplorer/AllowAddOnList</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/AllowAutoComplete</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete" id="internetexplorer-allowautocomplete">InternetExplorer/AllowAutoComplete</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/AllowCertificateAddressMismatchWarning</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning" id="internetexplorer-allowcertificateaddressmismatchwarning">InternetExplorer/AllowCertificateAddressMismatchWarning</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/AllowDeletingBrowsingHistoryOnExit</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit" id="internetexplorer-allowdeletingbrowsinghistoryonexit">InternetExplorer/AllowDeletingBrowsingHistoryOnExit</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode" id="internetexplorer-allowenhancedprotectedmode">InternetExplorer/AllowEnhancedProtectedMode</a>
@@ -1000,7 +1055,7 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist" id="internetexplorer-allowenterprisemodesitelist">InternetExplorer/AllowEnterpriseModeSiteList</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/AllowFallbackToSSL3</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3" id="internetexplorer-allowfallbacktossl3">InternetExplorer/AllowFallbackToSSL3</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist" id="internetexplorer-allowinternetexplorer7policylist">InternetExplorer/AllowInternetExplorer7PolicyList</a>
@@ -1036,7 +1091,7 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist" id="internetexplorer-allowsitetozoneassignmentlist">InternetExplorer/AllowSiteToZoneAssignmentList</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/AllowSoftwareWhenSignatureIsInvalid</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid" id="internetexplorer-allowsoftwarewhensignatureisinvalid">InternetExplorer/AllowSoftwareWhenSignatureIsInvalid</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites" id="internetexplorer-allowsuggestedsites">InternetExplorer/AllowSuggestedSites</a>
@@ -1051,19 +1106,19 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate" id="internetexplorer-allowsrestrictedsiteszonetemplate">InternetExplorer/AllowsRestrictedSitesZoneTemplate</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/CheckServerCertificateRevocation</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation" id="internetexplorer-checkservercertificaterevocation">InternetExplorer/CheckServerCertificateRevocation</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/CheckSignaturesOnDownloadedPrograms</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms" id="internetexplorer-checksignaturesondownloadedprograms">InternetExplorer/CheckSignaturesOnDownloadedPrograms</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses" id="internetexplorer-consistentmimehandlinginternetexplorerprocesses">InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash" id="internetexplorer-disableadobeflash">InternetExplorer/DisableAdobeFlash</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/DisableBlockingOfOutdatedActiveXControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableblockingofoutdatedactivexcontrols" id="internetexplorer-disableblockingofoutdatedactivexcontrols">InternetExplorer/DisableBlockingOfOutdatedActiveXControls</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings" id="internetexplorer-disablebypassofsmartscreenwarnings">InternetExplorer/DisableBypassOfSmartScreenWarnings</a>
@@ -1072,16 +1127,16 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles" id="internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles">InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/DisableConfiguringHistory</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory" id="internetexplorer-disableconfiguringhistory">InternetExplorer/DisableConfiguringHistory</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/DisableCrashDetection</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection" id="internetexplorer-disablecrashdetection">InternetExplorer/DisableCrashDetection</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation" id="internetexplorer-disablecustomerexperienceimprovementprogramparticipation">InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/DisableDeletingUserVisitedWebsites</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites" id="internetexplorer-disabledeletinguservisitedwebsites">InternetExplorer/DisableDeletingUserVisitedWebsites</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading" id="internetexplorer-disableenclosuredownloading">InternetExplorer/DisableEnclosureDownloading</a>
@@ -1099,13 +1154,13 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange" id="internetexplorer-disablehomepagechange">InternetExplorer/DisableHomePageChange</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/DisableIgnoringCertificateErrors</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors" id="internetexplorer-disableignoringcertificateerrors">InternetExplorer/DisableIgnoringCertificateErrors</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/DisableInPrivateBrowsing</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing" id="internetexplorer-disableinprivatebrowsing">InternetExplorer/DisableInPrivateBrowsing</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/DisableProcessesInEnhancedProtectedMode</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode" id="internetexplorer-disableprocessesinenhancedprotectedmode">InternetExplorer/DisableProcessesInEnhancedProtectedMode</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-disableproxychange" id="internetexplorer-disableproxychange">InternetExplorer/DisableProxyChange</a>
@@ -1117,13 +1172,13 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange" id="internetexplorer-disablesecondaryhomepagechange">InternetExplorer/DisableSecondaryHomePageChange</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/DisableSecuritySettingsCheck</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck" id="internetexplorer-disablesecuritysettingscheck">InternetExplorer/DisableSecuritySettingsCheck</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck" id="internetexplorer-disableupdatecheck">InternetExplorer/DisableUpdateCheck</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/DoNotAllowActiveXControlsInProtectedMode</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode" id="internetexplorer-donotallowactivexcontrolsinprotectedmode">InternetExplorer/DoNotAllowActiveXControlsInProtectedMode</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites" id="internetexplorer-donotallowuserstoaddsites">InternetExplorer/DoNotAllowUsersToAddSites</a>
@@ -1153,10 +1208,10 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads" id="internetexplorer-internetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneAllowCopyPasteViaScript</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript" id="internetexplorer-internetzoneallowcopypasteviascript">InternetExplorer/InternetZoneAllowCopyPasteViaScript</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles" id="internetexplorer-internetzoneallowdraganddropcopyandpastefiles">InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads" id="internetexplorer-internetzoneallowfontdownloads">InternetExplorer/InternetZoneAllowFontDownloads</a>
@@ -1165,22 +1220,22 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites" id="internetexplorer-internetzoneallowlessprivilegedsites">InternetExplorer/InternetZoneAllowLessPrivilegedSites</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneAllowLoadingOfXAMLFilesWRONG</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles" id="internetexplorer-internetzoneallowloadingofxamlfiles">InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents" id="internetexplorer-internetzoneallownetframeworkreliantcomponents">InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols" id="internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols">InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol" id="internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol">InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneAllowScriptInitiatedWindows</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows" id="internetexplorer-internetzoneallowscriptinitiatedwindows">InternetExplorer/InternetZoneAllowScriptInitiatedWindows</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols" id="internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols">InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets" id="internetexplorer-internetzoneallowscriptlets">InternetExplorer/InternetZoneAllowScriptlets</a>
@@ -1189,76 +1244,70 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie" id="internetexplorer-internetzoneallowsmartscreenie">InternetExplorer/InternetZoneAllowSmartScreenIE</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript" id="internetexplorer-internetzoneallowupdatestostatusbarviascript">InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence" id="internetexplorer-internetzoneallowuserdatapersistence">InternetExplorer/InternetZoneAllowUserDataPersistence</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols" id="internetexplorer-internetzonedownloadsignedactivexcontrols">InternetExplorer/InternetZoneDownloadSignedActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneDownloadSignedActiveXControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols" id="internetexplorer-internetzonedownloadunsignedactivexcontrols">InternetExplorer/InternetZoneDownloadUnsignedActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneDownloadUnsignedActiveXControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter" id="internetexplorer-internetzoneenablecrosssitescriptingfilter">InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows" id="internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows">InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows" id="internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows">InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing" id="internetexplorer-internetzoneenablemimesniffing">InternetExplorer/InternetZoneEnableMIMESniffing</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneEnableMIMESniffing</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode" id="internetexplorer-internetzoneenableprotectedmode">InternetExplorer/InternetZoneEnableProtectedMode</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneEnableProtectedMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver" id="internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver">InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols" id="internetexplorer-internetzoneinitializeandscriptactivexcontrols">InternetExplorer/InternetZoneInitializeAndScriptActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrolsnotmarkedsafe" id="internetexplorer-internetzoneinitializeandscriptactivexcontrolsnotmarkedsafe">InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneJavaPermissionsWRONG1</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions" id="internetexplorer-internetzonejavapermissions">InternetExplorer/InternetZoneJavaPermissions</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneJavaPermissionsWRONG2</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe" id="internetexplorer-internetzonelaunchingapplicationsandfilesiniframe">InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneLogonOptions</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions" id="internetexplorer-internetzonelogonoptions">InternetExplorer/InternetZoneLogonOptions</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes" id="internetexplorer-internetzonenavigatewindowsandframes">InternetExplorer/InternetZoneNavigateWindowsAndFrames</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode" id="internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode">InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode" id="internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode">InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles" id="internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles">InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneUsePopupBlocker</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker" id="internetexplorer-internetzoneusepopupblocker">InternetExplorer/InternetZoneUsePopupBlocker</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone" id="internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone">InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources" id="internetexplorer-intranetzoneallowaccesstodatasources">InternetExplorer/IntranetZoneAllowAccessToDataSources</a>
@@ -1287,9 +1336,18 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence" id="internetexplorer-intranetzoneallowuserdatapersistence">InternetExplorer/IntranetZoneAllowUserDataPersistence</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls</a>
+  </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrols">InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe">InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions" id="internetexplorer-intranetzonejavapermissions">InternetExplorer/IntranetZoneJavaPermissions</a>
+  </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes" id="internetexplorer-intranetzonenavigatewindowsandframes">InternetExplorer/IntranetZoneNavigateWindowsAndFrames</a>
   </dd>
@@ -1321,13 +1379,13 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence" id="internetexplorer-localmachinezoneallowuserdatapersistence">InternetExplorer/LocalMachineZoneAllowUserDataPersistence</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols" id="internetexplorer-localmachinezoneinitializeandscriptactivexcontrols">InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/LocalMachineZoneJavaPermissions</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions" id="internetexplorer-localmachinezonejavapermissions">InternetExplorer/LocalMachineZoneJavaPermissions</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes" id="internetexplorer-localmachinezonenavigatewindowsandframes">InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames</a>
@@ -1363,7 +1421,7 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/LockedDownInternetZoneJavaPermissions</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions" id="internetexplorer-lockeddowninternetzonejavapermissions">InternetExplorer/LockedDownInternetZoneJavaPermissions</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes" id="internetexplorer-lockeddowninternetzonenavigatewindowsandframes">InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames</a>
@@ -1432,7 +1490,7 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/LockedDownLocalMachineZoneJavaPermissions</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions" id="internetexplorer-lockeddownlocalmachinezonejavapermissions">InternetExplorer/LockedDownLocalMachineZoneJavaPermissions</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes" id="internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes">InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames</a>
@@ -1468,7 +1526,7 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions" id="internetexplorer-lockeddownrestrictedsiteszonejavapermissions">InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes" id="internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes">InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames</a>
@@ -1504,43 +1562,43 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions" id="internetexplorer-lockeddowntrustedsiteszonejavapermissions">InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes" id="internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes">InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses" id="internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses">InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses" id="internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses">InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/NotificationBarInternetExplorerProcesses</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses" id="internetexplorer-notificationbarinternetexplorerprocesses">InternetExplorer/NotificationBarInternetExplorerProcesses</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/PreventManagingSmartScreenFilter</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter" id="internetexplorer-preventmanagingsmartscreenfilter">InternetExplorer/PreventManagingSmartScreenFilter</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/PreventPerUserInstallationOfActiveXControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols" id="internetexplorer-preventperuserinstallationofactivexcontrols">InternetExplorer/PreventPerUserInstallationOfActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses" id="internetexplorer-protectionfromzoneelevationinternetexplorerprocesses">InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols" id="internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols">InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses" id="internetexplorer-restrictactivexinstallinternetexplorerprocesses">InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictFileDownloadInternetExplorerProcesses</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses" id="internetexplorer-restrictfiledownloadinternetexplorerprocesses">InternetExplorer/RestrictFileDownloadInternetExplorerProcesses</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources" id="internetexplorer-restrictedsiteszoneallowaccesstodatasources">InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowActiveScripting</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting" id="internetexplorer-restrictedsiteszoneallowactivescripting">InternetExplorer/RestrictedSitesZoneAllowActiveScripting</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</a>
@@ -1549,49 +1607,43 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads" id="internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors" id="internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors">InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript" id="internetexplorer-restrictedsiteszoneallowcopypasteviascript">InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles" id="internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles">InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowFileDownloads</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads" id="internetexplorer-restrictedsiteszoneallowfiledownloads">InternetExplorer/RestrictedSitesZoneAllowFileDownloads</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads" id="internetexplorer-restrictedsiteszoneallowfontdownloads">InternetExplorer/RestrictedSitesZoneAllowFontDownloads</a>
   </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG2</a>
-  </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites" id="internetexplorer-restrictedsiteszoneallowlessprivilegedsites">InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles" id="internetexplorer-restrictedsiteszoneallowloadingofxamlfiles">InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh" id="internetexplorer-restrictedsiteszoneallowmetarefresh">InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents" id="internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols" id="internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols">InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol" id="internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol">InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows" id="internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows">InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols" id="internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols">InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets" id="internetexplorer-restrictedsiteszoneallowscriptlets">InternetExplorer/RestrictedSitesZoneAllowScriptlets</a>
@@ -1600,85 +1652,88 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie" id="internetexplorer-restrictedsiteszoneallowsmartscreenie">InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript" id="internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript">InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence" id="internetexplorer-restrictedsiteszoneallowuserdatapersistence">InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols" id="internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols">InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols" id="internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols">InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter" id="internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter">InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows" id="internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows">InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneEnableMIMESniffing</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows" id="internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows">InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing" id="internetexplorer-restrictedsiteszoneenablemimesniffing">InternetExplorer/RestrictedSitesZoneEnableMIMESniffing</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver" id="internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver">InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneJavaPermissions</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions" id="internetexplorer-restrictedsiteszonejavapermissions">InternetExplorer/RestrictedSitesZoneJavaPermissions</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe" id="internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe">InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneLogonOptions</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions" id="internetexplorer-restrictedsiteszonelogonoptions">InternetExplorer/RestrictedSitesZoneLogonOptions</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes" id="internetexplorer-restrictedsiteszonenavigatewindowsandframes">InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains" id="internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains">InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins" id="internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins">InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode" id="internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode">InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting" id="internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting">InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneWRONG</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets" id="internetexplorer-restrictedsiteszonescriptingofjavaapplets">InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneWRONG2</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles" id="internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles">InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneWRONG3</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter" id="internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter">InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneWRONG4</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode" id="internetexplorer-restrictedsiteszoneturnonprotectedmode">InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/RestrictedSitesZoneWRONG5</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker" id="internetexplorer-restrictedsiteszoneusepopupblocker">InternetExplorer/RestrictedSitesZoneUsePopupBlocker</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses" id="internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses">InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist" id="internetexplorer-searchproviderlist">InternetExplorer/SearchProviderList</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/SecurityZonesUseOnlyMachineSettings</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings" id="internetexplorer-securityzonesuseonlymachinesettings">InternetExplorer/SecurityZonesUseOnlyMachineSettings</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/SpecifyUseOfActiveXInstallerService</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice" id="internetexplorer-specifyuseofactivexinstallerservice">InternetExplorer/SpecifyUseOfActiveXInstallerService</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources" id="internetexplorer-trustedsiteszoneallowaccesstodatasources">InternetExplorer/TrustedSitesZoneAllowAccessToDataSources</a>
@@ -1707,21 +1762,27 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence" id="internetexplorer-trustedsiteszoneallowuserdatapersistence">InternetExplorer/TrustedSitesZoneAllowUserDataPersistence</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols" id="internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols">InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls</a>
+  </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls</a>
   </dd>
   <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/TrustedSitesZoneJavaPermissions</a>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions" id="internetexplorer-trustedsiteszonejavapermissions">InternetExplorer/TrustedSitesZoneJavaPermissions</a>
   </dd>
   <dd>
     <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes" id="internetexplorer-trustedsiteszonenavigatewindowsandframes">InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames</a>
   </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/TrustedSitesZoneWRONG1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#None" id="None">InternetExplorer/TrustedSitesZoneWRONG2</a>
-  </dd>
 </dl>
 
 ### Kerberos policies
@@ -1755,6 +1816,83 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### LocalPoliciesSecurityOptions policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts" id="localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableguestaccountstatus" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount" id="localpoliciessecurityoptions-accounts-renameadministratoraccount">LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount" id="localpoliciessecurityoptions-accounts-renameguestaccount">LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin" id="localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin" id="localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel" id="localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit" id="localpoliciessecurityoptions-interactivelogon-machineinactivitylimit">LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon">LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode" id="localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode">LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation" id="localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation">LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations" id="localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations">LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</a>
+  </dd>
+</dl>
+
 ### Location policies
 
 <dl>
@@ -1872,7 +2010,7 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-printers.md#printers-pointandprintrestrictions" id="printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
   </dd>
   <dd>
-    <a href="./policy-csp-printers.md#printers-pointandprintrestrictions_user" id="printers-pointandprintrestrictions_user">Printers/PointAndPrintRestrictions_User</a>
+    <a href="./policy-csp-printers.md#printers-pointandprintrestrictions-user" id="printers-pointandprintrestrictions-user">Printers/PointAndPrintRestrictions_User</a>
   </dd>
   <dd>
     <a href="./policy-csp-printers.md#printers-publishprinters" id="printers-publishprinters">Printers/PublishPrinters</a>
@@ -1891,6 +2029,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-privacy.md#privacy-disableadvertisingid" id="privacy-disableadvertisingid">Privacy/DisableAdvertisingId</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-enableactivityfeed" id="privacy-enableactivityfeed">Privacy/EnableActivityFeed</a>
+  </dd>
   <dd>
     <a href="./policy-csp-privacy.md#privacy-letappsaccessaccountinfo" id="privacy-letappsaccessaccountinfo">Privacy/LetAppsAccessAccountInfo</a>
   </dd>
@@ -2107,6 +2248,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps" id="privacy-letappssyncwithdevices-userincontroloftheseapps">Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-publishuseractivities" id="privacy-publishuseractivities">Privacy/PublishUserActivities</a>
+  </dd>
 </dl>
 
 ### RemoteAssistance policies
@@ -2153,49 +2297,49 @@ The following diagram shows the Policy configuration service provider in tree fo
 
 <dl>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/AllowBasicAuthentication_Client</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client" id="remotemanagement-allowbasicauthentication-client">RemoteManagement/AllowBasicAuthentication_Client</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/AllowBasicAuthentication_Service</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service" id="remotemanagement-allowbasicauthentication-service">RemoteManagement/AllowBasicAuthentication_Service</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/AllowCredSSPAuthenticationClient</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient" id="remotemanagement-allowcredsspauthenticationclient">RemoteManagement/AllowCredSSPAuthenticationClient</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/AllowCredSSPAuthenticationService</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice" id="remotemanagement-allowcredsspauthenticationservice">RemoteManagement/AllowCredSSPAuthenticationService</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/AllowRemoteServerManagement</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement" id="remotemanagement-allowremoteservermanagement">RemoteManagement/AllowRemoteServerManagement</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/AllowUnencryptedTraffic_Client</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client" id="remotemanagement-allowunencryptedtraffic-client">RemoteManagement/AllowUnencryptedTraffic_Client</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/AllowUnencryptedTraffic_Service</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service" id="remotemanagement-allowunencryptedtraffic-service">RemoteManagement/AllowUnencryptedTraffic_Service</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/DisallowDigestAuthentication</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication" id="remotemanagement-disallowdigestauthentication">RemoteManagement/DisallowDigestAuthentication</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/DisallowNegotiateAuthenticationClient</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient" id="remotemanagement-disallownegotiateauthenticationclient">RemoteManagement/DisallowNegotiateAuthenticationClient</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/DisallowNegotiateAuthenticationService</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice" id="remotemanagement-disallownegotiateauthenticationservice">RemoteManagement/DisallowNegotiateAuthenticationService</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/DisallowStoringOfRunAsCredentials</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials" id="remotemanagement-disallowstoringofrunascredentials">RemoteManagement/DisallowStoringOfRunAsCredentials</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/SpecifyChannelBindingTokenHardeningLevel</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel" id="remotemanagement-specifychannelbindingtokenhardeninglevel">RemoteManagement/SpecifyChannelBindingTokenHardeningLevel</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/TrustedHosts</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-trustedhosts" id="remotemanagement-trustedhosts">RemoteManagement/TrustedHosts</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/TurnOnCompatibilityHTTPListener</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener" id="remotemanagement-turnoncompatibilityhttplistener">RemoteManagement/TurnOnCompatibilityHTTPListener</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remotemanagement.md#None" id="None">RemoteManagement/TurnOnCompatibilityHTTPSListener</a>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener" id="remotemanagement-turnoncompatibilityhttpslistener">RemoteManagement/TurnOnCompatibilityHTTPSListener</a>
   </dd>
 </dl>
 
@@ -2214,25 +2358,25 @@ The following diagram shows the Policy configuration service provider in tree fo
 
 <dl>
   <dd>
-    <a href="./policy-csp-remoteshell.md#None" id="None">RemoteShell/AllowRemoteShellAccess</a>
+    <a href="./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess" id="remoteshell-allowremoteshellaccess">RemoteShell/AllowRemoteShellAccess</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remoteshell.md#None" id="None">RemoteShell/MaxConcurrentUsers</a>
+    <a href="./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers" id="remoteshell-maxconcurrentusers">RemoteShell/MaxConcurrentUsers</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remoteshell.md#None" id="None">RemoteShell/SpecifyIdleTimeout</a>
+    <a href="./policy-csp-remoteshell.md#remoteshell-specifyidletimeout" id="remoteshell-specifyidletimeout">RemoteShell/SpecifyIdleTimeout</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remoteshell.md#None" id="None">RemoteShell/SpecifyMaxMemory</a>
+    <a href="./policy-csp-remoteshell.md#remoteshell-specifymaxmemory" id="remoteshell-specifymaxmemory">RemoteShell/SpecifyMaxMemory</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remoteshell.md#None" id="None">RemoteShell/SpecifyMaxProcesses</a>
+    <a href="./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses" id="remoteshell-specifymaxprocesses">RemoteShell/SpecifyMaxProcesses</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remoteshell.md#None" id="None">RemoteShell/SpecifyMaxRemoteShells</a>
+    <a href="./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells" id="remoteshell-specifymaxremoteshells">RemoteShell/SpecifyMaxRemoteShells</a>
   </dd>
   <dd>
-    <a href="./policy-csp-remoteshell.md#None" id="None">RemoteShell/SpecifyShellTimeout</a>
+    <a href="./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout" id="remoteshell-specifyshelltimeout">RemoteShell/SpecifyShellTimeout</a>
   </dd>
 </dl>
 
@@ -2286,6 +2430,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-security.md#security-antitheftmode" id="security-antitheftmode">Security/AntiTheftMode</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-security.md#security-cleartpmifnotready" id="security-cleartpmifnotready">Security/ClearTPMIfNotReady</a>
+  </dd>
   <dd>
     <a href="./policy-csp-security.md#security-preventautomaticdeviceencryptionforazureadjoineddevices" id="security-preventautomaticdeviceencryptionforazureadjoineddevices">Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices</a>
   </dd>
@@ -2571,6 +2718,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-update.md#update-allowautoupdate" id="update-allowautoupdate">Update/AllowAutoUpdate</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork" id="update-allowautowindowsupdatedownloadovermeterednetwork">Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</a>
+  </dd>
   <dd>
     <a href="./policy-csp-update.md#update-allowmuupdateservice" id="update-allowmuupdateservice">Update/AllowMUUpdateService</a>
   </dd>
@@ -2607,6 +2757,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-update.md#update-detectionfrequency" id="update-detectionfrequency">Update/DetectionFrequency</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-disabledualscan" id="update-disabledualscan">Update/DisableDualScan</a>
+  </dd>
   <dd>
     <a href="./policy-csp-update.md#update-engagedrestartdeadline" id="update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
   </dd>
@@ -2635,13 +2788,13 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-update.md#update-pausefeatureupdates" id="update-pausefeatureupdates">Update/PauseFeatureUpdates</a>
   </dd>
   <dd>
-    <a href="./policy-csp-update.md#update-PauseFeatureUpdatesStartTime" id="update-PauseFeatureUpdatesStartTime">Update/PauseFeatureUpdatesStartTime</a>
+    <a href="./policy-csp-update.md#update-pausefeatureupdatesstarttime" id="update-pausefeatureupdatesstarttime">Update/PauseFeatureUpdatesStartTime</a>
   </dd>
   <dd>
     <a href="./policy-csp-update.md#update-pausequalityupdates" id="update-pausequalityupdates">Update/PauseQualityUpdates</a>
   </dd>
   <dd>
-    <a href="./policy-csp-update.md#update-PauseQualityUpdatesStartTime" id="update-PauseQualityUpdatesStartTime">Update/PauseQualityUpdatesStartTime</a>
+    <a href="./policy-csp-update.md#update-pausequalityupdatesstarttime" id="update-pausequalityupdatesstarttime">Update/PauseQualityUpdatesStartTime</a>
   </dd>
   <dd>
     <a href="./policy-csp-update.md#update-requiredeferupgrade" id="update-requiredeferupgrade">Update/RequireDeferUpgrade</a>
@@ -2716,6 +2869,53 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### WindowsDefenderSecurityCenter policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname" id="windowsdefendersecuritycenter-companyname">WindowsDefenderSecurityCenter/CompanyName</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui" id="windowsdefendersecuritycenter-disableappbrowserui">WindowsDefenderSecurityCenter/DisableAppBrowserUI</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications" id="windowsdefendersecuritycenter-disableenhancednotifications">WindowsDefenderSecurityCenter/DisableEnhancedNotifications</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui" id="windowsdefendersecuritycenter-disablefamilyui">WindowsDefenderSecurityCenter/DisableFamilyUI</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui" id="windowsdefendersecuritycenter-disablehealthui">WindowsDefenderSecurityCenter/DisableHealthUI</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui" id="windowsdefendersecuritycenter-disablenetworkui">WindowsDefenderSecurityCenter/DisableNetworkUI</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications" id="windowsdefendersecuritycenter-disablenotifications">WindowsDefenderSecurityCenter/DisableNotifications</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui" id="windowsdefendersecuritycenter-disablevirusui">WindowsDefenderSecurityCenter/DisableVirusUI</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride" id="windowsdefendersecuritycenter-disallowexploitprotectionoverride">WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email" id="windowsdefendersecuritycenter-email">WindowsDefenderSecurityCenter/Email</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts" id="windowsdefendersecuritycenter-enablecustomizedtoasts">WindowsDefenderSecurityCenter/EnableCustomizedToasts</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization" id="windowsdefendersecuritycenter-enableinappcustomization">WindowsDefenderSecurityCenter/EnableInAppCustomization</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone" id="windowsdefendersecuritycenter-phone">WindowsDefenderSecurityCenter/Phone</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url" id="windowsdefendersecuritycenter-url">WindowsDefenderSecurityCenter/URL</a>
+  </dd>
+</dl>
+
 ### WindowsInkWorkspace policies
 
 <dl>
@@ -2754,7 +2954,7 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc" id="wirelessdisplay-allowprojectiontopc">WirelessDisplay/AllowProjectionToPC</a>
   </dd>
   <dd>
-    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-Allowprojectiontopcoverinfrastructure" id="wirelessdisplay-Allowprojectiontopcoverinfrastructure">WirelessDisplay/AllowProjectionToPCOverInfrastructure</a>
+    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopcoverinfrastructure" id="wirelessdisplay-allowprojectiontopcoverinfrastructure">WirelessDisplay/AllowProjectionToPCOverInfrastructure</a>
   </dd>
   <dd>
     <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver" id="wirelessdisplay-allowuserinputfromwirelessdisplayreceiver">WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver</a>
@@ -2765,7 +2965,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 </dl>
 
 
-## ADMX backed policies
+## ADMX-backed policies
 
 -   [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
 -   [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
@@ -2785,7 +2985,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
 -   [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
 -   [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
--   [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient_ssl)
+-   [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl)
 -   [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
 -   [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
 -   [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
@@ -2802,12 +3002,12 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
 -   [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
 -   [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
--   [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#None)
--   [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#None)
--   [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#None)
--   [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#None)
+-   [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
+-   [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
+-   [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
+-   [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
 -   [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
--   [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#None)
+-   [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
 -   [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
 -   [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
 -   [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
@@ -2830,13 +3030,13 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
 -   [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
 -   [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
--   [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete)
+-   [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
+-   [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
 -   [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
 -   [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
 -   [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
--   [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
 -   [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
 -   [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
 -   [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
@@ -2848,36 +3048,36 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
 -   [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
 -   [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
--   [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid)
 -   [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
 -   [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
 -   [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
 -   [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
--   [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
+-   [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
+-   [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
 -   [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
--   [InternetExplorer/DisableBlockingOfOutdatedActiveXControls](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/DisableBlockingOfOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-disableblockingofoutdatedactivexcontrols)
 -   [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
 -   [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
--   [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
+-   [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
 -   [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
--   [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
 -   [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
 -   [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
 -   [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
 -   [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
 -   [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
--   [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
+-   [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
+-   [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode)
 -   [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
 -   [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
 -   [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
--   [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
 -   [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
--   [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
 -   [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
 -   [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
 -   [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
@@ -2887,42 +3087,39 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
 -   [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
 -   [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
--   [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript)
+-   [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles)
 -   [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
 -   [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
--   [InternetExplorer/InternetZoneAllowLoadingOfXAMLFilesWRONG](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles)
 -   [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
--   [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols)
+-   [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol)
+-   [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows)
+-   [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols)
 -   [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
 -   [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
--   [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript)
 -   [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
--   [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols)
+-   [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols)
+-   [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols)
+-   [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter)
+-   [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+-   [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+-   [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing)
+-   [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode)
+-   [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver)
 -   [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
--   [InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneJavaPermissionsWRONG1](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneJavaPermissionsWRONG2](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions)
+-   [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
+-   [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
 -   [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
--   [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode)
+-   [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
+-   [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
+-   [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
+-   [InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone](./policy-csp-internetexplorer.md#internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone)
 -   [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
 -   [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
 -   [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
@@ -2932,7 +3129,10 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
 -   [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
 -   [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
+-   [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
 -   [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
+-   [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe)
+-   [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
 -   [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
 -   [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
 -   [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
@@ -2943,9 +3143,9 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
 -   [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
 -   [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
--   [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols)
 -   [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
--   [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions)
 -   [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
 -   [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
 -   [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
@@ -2957,7 +3157,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
 -   [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
 -   [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
--   [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions)
 -   [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
 -   [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
 -   [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
@@ -2980,7 +3180,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
 -   [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
 -   [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
--   [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions)
 -   [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
 -   [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
 -   [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
@@ -2992,7 +3192,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
 -   [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
 -   [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
--   [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions)
 -   [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
 -   [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
 -   [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
@@ -3004,64 +3204,64 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
 -   [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
 -   [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
--   [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions)
 -   [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
--   [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
+-   [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
+-   [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
+-   [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
+-   [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
+-   [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses)
+-   [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols)
+-   [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses)
+-   [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses)
 -   [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
--   [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting)
 -   [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
 -   [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
--   [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG1](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG2](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors)
+-   [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript)
+-   [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles)
+-   [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads)
+-   [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads)
 -   [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
--   [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles)
+-   [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh)
 -   [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
--   [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols)
+-   [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol)
+-   [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows)
+-   [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols)
 -   [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
 -   [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
--   [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript)
 -   [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
--   [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols)
+-   [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols)
+-   [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols)
+-   [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter)
+-   [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+-   [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+-   [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing)
+-   [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver)
 -   [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
--   [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions)
+-   [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
+-   [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
 -   [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
--   [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneWRONG](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneWRONG2](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneWRONG3](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneWRONG4](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/RestrictedSitesZoneWRONG5](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains)
+-   [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
+-   [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
+-   [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
+-   [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
+-   [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
+-   [InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter)
+-   [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
+-   [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
+-   [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
 -   [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
--   [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings)
+-   [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice)
 -   [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
 -   [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
 -   [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
@@ -3071,11 +3271,13 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
 -   [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
 -   [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
+-   [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
+-   [InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols)
 -   [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
--   [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+-   [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe)
+-   [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe)
+-   [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
 -   [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
--   [InternetExplorer/TrustedSitesZoneWRONG1](./policy-csp-internetexplorer.md#None)
--   [InternetExplorer/TrustedSitesZoneWRONG2](./policy-csp-internetexplorer.md#None)
 -   [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
 -   [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
 -   [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
@@ -3091,7 +3293,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
 -   [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
 -   [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
--   [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions_user)
+-   [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
 -   [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
 -   [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
 -   [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
@@ -3103,30 +3305,30 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
 -   [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
 -   [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
--   [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#None)
--   [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#None)
+-   [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client)
+-   [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service)
+-   [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient)
+-   [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice)
+-   [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement)
+-   [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client)
+-   [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service)
+-   [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication)
+-   [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient)
+-   [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice)
+-   [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials)
+-   [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel)
+-   [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts)
+-   [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener)
+-   [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener)
 -   [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
 -   [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
--   [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#None)
--   [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#None)
--   [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#None)
--   [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#None)
--   [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#None)
--   [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#None)
--   [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#None)
+-   [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess)
+-   [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers)
+-   [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout)
+-   [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory)
+-   [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
+-   [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
+-   [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
 -   [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
 -   [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
 -   [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
@@ -3154,13 +3356,18 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)  
 -   [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)  
 -   [Camera/AllowCamera](#camera-allowcamera)  
+-   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
 -   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
 -   [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)  
 -   [Connectivity/AllowNFC](#connectivity-allownfc)  
 -   [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)  
 -   [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)  
 -   [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)  
+-   [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp)  
+-   [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp)  
+-   [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)  
 -   [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)  
+-   [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge)  
 -   [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)  
 -   [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)  
 -   [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)  
@@ -3265,7 +3472,8 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)  
 -   [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)  
 -   [Camera/AllowCamera](#camera-allowcamera)  
--   [ConfigOperations/ADMXInstall](#None)  
+-   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
+-   [ConfigOperations/ADMXInstall](#configoperations-admxinstall)  
 -   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
 -   [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)  
 -   [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)  
@@ -3313,7 +3521,8 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)  
 -   [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)  
 -   [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)  
--   [DeviceGuard/AllowKernelControlFlowGuard](#None)  
+-   [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)  
+-   [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)  
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
@@ -3322,6 +3531,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
+-   [Privacy/PublishUserActivities](#privacy-publishuseractivities)  
 -   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)  
 -   [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)  
 -   [System/AllowFontProviders](#system-allowfontproviders)  
@@ -3338,9 +3548,9 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)  
 -   [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)  
 -   [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)  
--   [TimeLanguageSettings/Set24HourClock](#None)  
--   [TimeLanguageSettings/SetCountry](#None)  
--   [TimeLanguageSettings/SetLanguage](#None)  
+-   [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock)  
+-   [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry)  
+-   [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage)  
 -   [Update/AllowAutoUpdate](#update-allowautoupdate)  
 -   [Update/AllowUpdateService](#update-allowupdateservice)  
 -   [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)  
@@ -3364,6 +3574,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 
 -   [Browser/AllowBrowser](#browser-allowbrowser)  
 -   [Camera/AllowCamera](#camera-allowcamera)  
+-   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
 -   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
 -   [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)  
 -   [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)  
@@ -3432,196 +3643,6 @@ Do not allow NFC.
 </SyncML>
 ```
 
-## <a href="" id="startlayout-examples"></a>Start/StartLayout Examples
-
-### <a href="" id="generating-a-layout-"></a>Generating a layout
-
-The easiest way to generate a layout is to set the Start layout on a PC, and then run the PowerShell cmdlet **Export-StartLayout**.
-
-` > Export-StartLayout -path c:\users\<`*you*`>\desktop\startlayout.xml`
-
-Sample layout generated using the cmdlet
-
-``` syntax
-<LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
-  <DefaultLayoutOverride>
-    <StartLayoutCollection>
-      <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
-        <start:Group Name="quick links" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-          <start:Tile Size="2x2" Column="4" Row="4" TileID="903d2b5e-807b-4c7a-8362-0fcc184f97f7" AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"/>
-          <start:Tile Size="4x4" Column="0" Row="0" TileID="ad99e7e3-3929-4e54-850c-0956e6dc6296" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App"/>
-          <start:Tile Size="4x4" Column="0" Row="0" TileID="e86b4425-e28e-4e59-abeb-39316c1cd0eb" AppUserModelID="Microsoft.BingNews_8wekyb3d8bbwe!AppexNews"/>
-          <start:Tile Size="2x2" Column="4" Row="4" TileID="37fe8c50-8b37-41e2-9d8b-f8915ef2b89b" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>
-        </start:Group>
-        <start:Group Name="LOB apps" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-          <start:Tile Size="2x2" Column="4" Row="4" TileID="10c72642-ef27-4890-8d3b-f5a4b10b2611" AppUserModelID="CmModernAppv.01_g4ype1skzj3jy!App"/>
-          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="wpsh..tion_0000000000000000_ea68d408322b5ed8"/>
-          <start:Tile Size="2x2" Column="2" Row="2" TileID="68a2c085-a2a5-4849-a3e5-c5f8bd736b8f" AppUserModelID="Microsoft.CorporateAppCenter_8wekyb3d8bbwe!App"/>
-        </start:Group>
-        <start:Group Name="comms" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-          <start:Tile Size="4x2" Column="0" Row="0" TileID="a39d270e-d013-40a9-879d-eb563c019a4f" AppUserModelID="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"/>
-          <start:Tile Size="4x4" Column="0" Row="0" TileID="293e8dd8-c33d-4797-997e-f646902d1e56" AppUserModelID="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar"/>
-          <start:Tile Size="2x2" Column="4" Row="4" TileID="2f5a81f5-7f85-42c9-88f7-dd41aa9609f7" AppUserModelID="Microsoft.People_8wekyb3d8bbwe!x4c7a3b7dy2188y46d4ya362y19ac5a5805e5x"/>
-        </start:Group>
-        <start:Group Name="Office" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-          <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="Microsoft.Office.lync.exe.15"/>
-          <start:Tile Size="2x2" Column="4" Row="4" TileID="337be122-44b3-4215-8d6f-75f29af5a722" AppUserModelID="Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim"/>
-          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="Microsoft.Office.OUTLOOK.EXE.15"/>
-          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="Microsoft.Office.EXCEL.EXE.15"/>
-          <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="Microsoft.Office.ONENOTE.EXE.15"/>
-          <start:DesktopApplicationTile Size="2x2" Column="4" Row="4" DesktopApplicationID="Microsoft.Office.POWERPNT.EXE.15"/>
-        </start:Group>
-        <start:Group Name="Edge pinned shortcuts" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-          <start:SecondaryTile AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" TileID="-9513911450" DisplayName="Bing" Size="2x2" Column="0" Row="0" Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x36a8c2e4 -pinnedTimeHigh 0x01d0919b -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000014 http://www.bing.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-9513911450/lowres.png" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true" BackgroundColor="#7fffffff"/>
-          <start:SecondaryTile AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" TileID="-2360074010" DisplayName="msn" Size="2x2" Column="2" Row="2" Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0xec458ccc -pinnedTimeHigh 0x01d091a0 -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000013 http://www.msn.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-2360074010/hires.png" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true" BackgroundColor="#7fffffff"/>
-          <start:SecondaryTile AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" TileID="-21368412090" DisplayName="The Verge" Size="2x2" Column="4" Row="4" Arguments="-pinnedSite -contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x00bad87b -pinnedTimeHigh 0x01d091a1 -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000018 http://www.theverge.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-21368412090/squaretile.png" Wide310x150LogoUri="ms-appdata:///local/PinnedTiles/-21368412090/widetile.png" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true" BackgroundColor="#7fffffff"/>
-        </start:Group>
-        <start:Group Name="dev tools" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe"/>
-          <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WindowsPowerShell\v1.0\powershell.exe"/>
-        </start:Group>
-      </defaultlayout:StartLayout>
-    </StartLayoutCollection>
-  </DefaultLayoutOverride>
-</LayoutModificationTemplate>
-```
-
-### Understanding the schema
-
-In the previous example, the **DefaultLayoutOverride** element is used to specify a layout that overrides the default Start layout. It contains a **StartLayoutCollection**. **StartLayoutCollection** contains a **StartLayout**, which is made up of a collection of **Groups** which are, in turn, made up of either **Tiles** or **DesktopApplicationTiles**.
-
-### Manually creating a layout
-
-For **Tile** elements, the **AppUserModelID** can be retrieved with the PowerShell cmdlet **Get-StartApps**. The app needs to be installed to retrieve this information.
-
-For **DesktopApplicationTile** elements, the **DesktopApplicationID** can be retrieved with the PowerShell cmdlet **Get-StartApps**. The app needs to be installed to retrieve this information.
-
-### Secondary tiles
-
-Creating a layout requires some special notes about secondary tiles. In general, the simplest way to correctly specify a **SecondaryTile** is to generate it using the **Export-StartLayout** PowerShell cmdlet as specified above.
-
-> [!NOTE]
-> Apps that don't encode enough information in their secondary tiles may not be able to be used effectively in the **StartLayout** policy.
-
-
-### Generic webpage shortcuts
-
-The simplest mechanism to create a link to a webpage is to use a URL file. This can be manually added to the layout file by specifying the URL in the **DesktopApplicationID** attribute.
-
-``` syntax
-<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="www.bing.com" />
-```
-
-### <a href="" id="microsoft-edge-secondary-tiles-"></a>Microsoft Edge secondary tiles
-
-These can be generated by using the **Export-StartLayout** PowerShell cmdlet as specified above. The following example shows a generated secondary tile:
-
-``` syntax
-<start:SecondaryTile 
-    AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" 
-    TileID="-9513911450" 
-    DisplayName="Bing" 
-    Size="2x2" 
-    Column="0" 
-    Row="0" 
-    Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x36a8c2e4 -pinnedTimeHigh 0x01d0919b -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000014 http://www.bing.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-9513911450/lowres.png" 
-    Wide310x150LogoUri="ms-appx:///" 
-    ShowNameOnSquare150x150Logo="true" 
-    ShowNameOnWide310x150Logo="true" 
-    BackgroundColor="#7fffffff" 
-  />
-```
-
-### <a href="" id="microsoft-edge-assets-example"></a>Microsoft Edge assets example
-
-An example XML string value for the **[Start/ImportEdgeAssets](#start-importedgeassets)** policy.
-
-``` syntax
-<SecondaryTileAssets>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\30382655640\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII=</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\30382655640\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII=</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\29499280780\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg==</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\29499280780\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg==</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\2819959990\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII=</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\2819959990\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII=</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\39721989420\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg==</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\39721989420\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg==</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\25495229280\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII=</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\25495229280\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII=</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-</SecondaryTileAssets>
-```
-
 ## Related topics
 
 [Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index 125546ca2b..2268695665 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - AboveLock
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index 8e3cbf0a9f..f2e678427b 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Accounts
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index e2cb16c774..755aeb5a2e 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - ActiveXControls
@@ -35,11 +36,11 @@ author: nickbrower
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -54,10 +55,18 @@ If you disable or do not configure this policy setting, ActiveX controls prompt
 Note: Wild card characters cannot be used when specifying the host URLs.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Approved Installation Sites for ActiveX Controls*
+-   GP English name: *Approved Installation Sites for ActiveX Controls*
 -   GP name: *ApprovedActiveXInstallSites*
+-   GP path: *Windows Components/ActiveX Installer Service*
 -   GP ADMX file name: *ActiveXInstallService.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index bf34e7343f..838ad9fbc8 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - ApplicationDefaults
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 805e786817..db13ecc123 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - ApplicationManagement
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index 3aaaa8966e..e44fda0b34 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - AppVirtualization
@@ -35,11 +36,11 @@ author: nickbrower
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -48,10 +49,18 @@ author: nickbrower
 This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable App-V Client*
+-   GP English name: *Enable App-V Client*
 -   GP name: *EnableAppV*
+-   GP path: *System/App-V*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -73,11 +82,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -86,10 +95,18 @@ ADMX Info:
 Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable Dynamic Virtualization*
+-   GP English name: *Enable Dynamic Virtualization*
 -   GP name: *Virtualization_JITVEnable*
+-   GP path: *System/App-V/Virtualization*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -111,11 +128,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -124,10 +141,18 @@ ADMX Info:
 Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable automatic cleanup of unused appv packages*
+-   GP English name: *Enable automatic cleanup of unused appv packages*
 -   GP name: *PackageManagement_AutoCleanupEnable*
+-   GP path: *System/App-V/PackageManagement*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -149,11 +174,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -162,10 +187,18 @@ ADMX Info:
 Enables scripts defined in the package manifest of configuration files that should run.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable Package Scripts*
+-   GP English name: *Enable Package Scripts*
 -   GP name: *Scripting_Enable_Package_Scripts*
+-   GP path: *System/App-V/Scripting*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -187,11 +220,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -200,10 +233,18 @@ ADMX Info:
 Enables a UX to display to the user when a publishing refresh is performed on the client.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable Publishing Refresh UX*
+-   GP English name: *Enable Publishing Refresh UX*
 -   GP name: *Enable_Publishing_Refresh_UX*
+-   GP path: *System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -225,11 +266,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -248,10 +289,18 @@ Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the
 Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The  default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Reporting Server*
+-   GP English name: *Reporting Server*
 -   GP name: *Reporting_Server_Policy*
+-   GP path: *System/App-V/Reporting*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -273,11 +322,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -286,10 +335,18 @@ ADMX Info:
 Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Roaming File Exclusions*
+-   GP English name: *Roaming File Exclusions*
 -   GP name: *Integration_Roaming_File_Exclusions*
+-   GP path: *System/App-V/Integration*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -311,11 +368,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -324,10 +381,18 @@ ADMX Info:
 Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Roaming Registry Exclusions*
+-   GP English name: *Roaming Registry Exclusions*
 -   GP name: *Integration_Roaming_Registry_Exclusions*
+-   GP path: *System/App-V/Integration*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -349,11 +414,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -362,10 +427,18 @@ ADMX Info:
 Specifies how new packages should be loaded automatically by App-V on a specific computer.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify what to load in background (aka AutoLoad)*
+-   GP English name: *Specify what to load in background (aka AutoLoad)*
 -   GP name: *Steaming_Autoload*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -387,11 +460,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -400,10 +473,18 @@ ADMX Info:
 Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable Migration Mode*
+-   GP English name: *Enable Migration Mode*
 -   GP name: *Client_Coexistence_Enable_Migration_mode*
+-   GP path: *System/App-V/Client Coexistence*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -425,11 +506,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -438,10 +519,18 @@ ADMX Info:
 Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Integration Root User*
+-   GP English name: *Integration Root User*
 -   GP name: *Integration_Root_User*
+-   GP path: *System/App-V/Integration*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -463,11 +552,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -476,10 +565,18 @@ ADMX Info:
 Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Integration Root Global*
+-   GP English name: *Integration Root Global*
 -   GP name: *Integration_Root_Global*
+-   GP path: *System/App-V/Integration*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -501,11 +598,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -532,10 +629,18 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
 User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Publishing Server 1 Settings*
+-   GP English name: *Publishing Server 1 Settings*
 -   GP name: *Publishing_Server1_Policy*
+-   GP path: *System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -557,11 +662,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -588,10 +693,18 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
 User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Publishing Server 2 Settings*
+-   GP English name: *Publishing Server 2 Settings*
 -   GP name: *Publishing_Server2_Policy*
+-   GP path: *System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -613,11 +726,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -644,10 +757,18 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
 User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Publishing Server 3 Settings*
+-   GP English name: *Publishing Server 3 Settings*
 -   GP name: *Publishing_Server3_Policy*
+-   GP path: *System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -669,11 +790,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -700,10 +821,18 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
 User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Publishing Server 4 Settings*
+-   GP English name: *Publishing Server 4 Settings*
 -   GP name: *Publishing_Server4_Policy*
+-   GP path: *System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -725,11 +854,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -756,16 +885,24 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
 User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Publishing Server 5 Settings*
+-   GP English name: *Publishing Server 5 Settings*
 -   GP name: *Publishing_Server5_Policy*
+-   GP path: *System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="appvirtualization-streamingallowcertificatefilterforclient_ssl"></a>**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL**  
+<a href="" id="appvirtualization-streamingallowcertificatefilterforclient-ssl"></a>**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL**  
 
 <!--StartSKU-->
 <table>
@@ -781,11 +918,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -794,10 +931,18 @@ ADMX Info:
 Specifies the path to a valid certificate in the certificate store.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Certificate Filter For Client SSL*
+-   GP English name: *Certificate Filter For Client SSL*
 -   GP name: *Streaming_Certificate_Filter_For_Client_SSL*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -819,11 +964,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -832,10 +977,18 @@ ADMX Info:
 This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
+-   GP English name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
 -   GP name: *Streaming_Allow_High_Cost_Launch*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -857,11 +1010,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -870,10 +1023,18 @@ ADMX Info:
 Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Location Provider*
+-   GP English name: *Location Provider*
 -   GP name: *Streaming_Location_Provider*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -895,11 +1056,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -908,10 +1069,18 @@ ADMX Info:
 Specifies directory where all new applications and updates will be installed.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Package Installation Root*
+-   GP English name: *Package Installation Root*
 -   GP name: *Streaming_Package_Installation_Root*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -933,11 +1102,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -946,10 +1115,18 @@ ADMX Info:
 Overrides source location for downloading package content.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Package Source Root*
+-   GP English name: *Package Source Root*
 -   GP name: *Streaming_Package_Source_Root*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -971,11 +1148,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -984,10 +1161,18 @@ ADMX Info:
 Specifies the number of seconds between attempts to reestablish a dropped session.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Reestablishment Interval*
+-   GP English name: *Reestablishment Interval*
 -   GP name: *Streaming_Reestablishment_Interval*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1009,11 +1194,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1022,10 +1207,18 @@ ADMX Info:
 Specifies the number of times to retry a dropped session.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Reestablishment Retries*
+-   GP English name: *Reestablishment Retries*
 -   GP name: *Streaming_Reestablishment_Retries*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1047,11 +1240,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1060,10 +1253,18 @@ ADMX Info:
 Specifies that streamed package contents will be not be saved to the local hard disk.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Shared Content Store (SCS) mode*
+-   GP English name: *Shared Content Store (SCS) mode*
 -   GP name: *Streaming_Shared_Content_Store_Mode*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1085,11 +1286,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1098,10 +1299,18 @@ ADMX Info:
 If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable Support for BranchCache*
+-   GP English name: *Enable Support for BranchCache*
 -   GP name: *Streaming_Support_Branch_Cache*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1123,11 +1332,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1136,10 +1345,18 @@ ADMX Info:
 Verifies Server certificate revocation status before streaming using HTTPS.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Verify certificate revocation list*
+-   GP English name: *Verify certificate revocation list*
 -   GP name: *Streaming_Verify_Certificate_Revocation_List*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1161,11 +1378,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1174,10 +1391,18 @@ ADMX Info:
 Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Virtual Component Process Allow List*
+-   GP English name: *Virtual Component Process Allow List*
 -   GP name: *Virtualization_JITVAllowList*
+-   GP path: *System/App-V/Virtualization*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index 16d1409a9a..202f7f324a 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - AttachmentManager
@@ -35,11 +36,11 @@ author: nickbrower
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -54,10 +55,18 @@ If you disable this policy setting, Windows marks file attachments with their zo
 If you do not configure this policy setting, Windows marks file attachments with their zone information.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not preserve zone information in file attachments*
+-   GP English name: *Do not preserve zone information in file attachments*
 -   GP name: *AM_MarkZoneOnSavedAtttachments*
+-   GP path: *Windows Components/Attachment Manager*
 -   GP ADMX file name: *AttachmentManager.admx*
 
 <!--EndADMX-->
@@ -79,11 +88,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -98,10 +107,18 @@ If you disable this policy setting, Windows shows the check box and Unblock butt
 If you do not configure this policy setting, Windows hides the check box and Unblock button.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Hide mechanisms to remove zone information*
+-   GP English name: *Hide mechanisms to remove zone information*
 -   GP name: *AM_RemoveZoneInfo*
+-   GP path: *Windows Components/Attachment Manager*
 -   GP ADMX file name: *AttachmentManager.admx*
 
 <!--EndADMX-->
@@ -123,11 +140,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -142,10 +159,18 @@ If you disable this policy setting, Windows does not call the registered antivir
 If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Notify antivirus programs when opening attachments*
+-   GP English name: *Notify antivirus programs when opening attachments*
 -   GP name: *AM_CallIOfficeAntiVirus*
+-   GP path: *Windows Components/Attachment Manager*
 -   GP ADMX file name: *AttachmentManager.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index a3abf1e90d..fcc6506c15 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Authentication
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index 94426589fc..daac26b55d 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Autoplay
@@ -33,13 +34,13 @@ author: nickbrower
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -52,10 +53,18 @@ If you enable this policy setting, AutoPlay is not allowed for MTP devices like
 If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disallow Autoplay for non-volume devices*
+-   GP English name: *Disallow Autoplay for non-volume devices*
 -   GP name: *NoAutoplayfornonVolume*
+-   GP path: *Windows Components/AutoPlay Policies*
 -   GP ADMX file name: *AutoPlay.admx*
 
 <!--EndADMX-->
@@ -75,13 +84,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -103,10 +112,18 @@ b) Revert back to pre-Windows Vista behavior of automatically executing the auto
 If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Set the default behavior for AutoRun*
+-   GP English name: *Set the default behavior for AutoRun*
 -   GP name: *NoAutorun*
+-   GP path: *Windows Components/AutoPlay Policies*
 -   GP ADMX file name: *AutoPlay.admx*
 
 <!--EndADMX-->
@@ -126,13 +143,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -155,10 +172,18 @@ If you disable or do not configure this policy setting, AutoPlay is enabled.
 Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off Autoplay*
+-   GP English name: *Turn off Autoplay*
 -   GP name: *Autorun*
+-   GP path: *Windows Components/AutoPlay Policies*
 -   GP ADMX file name: *AutoPlay.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index c4a361dbf8..1220f63607 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Bitlocker
@@ -57,6 +58,34 @@ author: nickbrower
 -   6 - XTS-AES 128-bit (Desktop only)
 -   7 - XTS-AES 256-bit (Desktop only)
 
+<p style="margin-left: 20px">You can find the following policies in BitLocker CSP:
+<dl>
+  <dd>
+    <a href="./bitlocker-csp.md#encryptionmethodbydrivetype" id="encryptionmethodbydrivetype">BitLocker/EncryptionMethodByDriveType</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#fixeddrivesrecoveryoptions" id="fixeddrivesrecoveryoptions">BitLocker/FixedDrivesRecoveryOptions</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#fixeddrivesrequireencryption" id="fixeddrivesrequireencryption">BitLocker/FixedDrivesRequireEncryption</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#removabledrivesrequireencryption" id="removabledrivesrequireencryption">BitLocker/RemovableDrivesRequireEncryption</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesminimumpinlength" id="systemdrivesminimumpinlength">BitLocker/SystemDrivesMinimumPINLength</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesrecoverymessage" id="systemdrivesrecoverymessage">BitLocker/SystemDrivesRecoveryMessage</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesrecoveryoptions" id="systemdrivesrecoveryoptions">BitLocker/SystemDrivesRecoveryOptions</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesrequirestartupauthentication" id="systemdrivesrequirestartupauthentication">BitLocker/SystemDrivesRequireStartupAuthentication</a>
+  </dd>
+</dl>
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <hr/>
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index c4f2efa69b..7bd2ea4992 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Bluetooth
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index ac21e5988b..82c992e8eb 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Browser
@@ -678,6 +679,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
 4.  Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-alwaysenablebookslibrary"></a>**Browser/AlwaysEnableBooksLibrary**  
+
+<!--StartDescription-->
+<p style="margin-left: 20px">
+
+<p style="margin-left: 20px">This is only a placeholder.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -964,6 +975,51 @@ Employees cannot remove these search engines, but they can set any one as the de
 > [!NOTE]
 > Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-lockdownfavorites"></a>**Browser/LockdownFavorites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+<p style="margin-left: 20px">If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+
+> [!Important]  
+> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+<ul>
+<li> 0 - Disabled. Do not lockdown Favorites.</li>
+<li> 1 - Enabled. Lockdown Favorites.</li>
+</ul>
+
+<p style="margin-left: 20px">If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
+
+<p style="margin-left: 20px">Data type is integer.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -1190,6 +1246,50 @@ Employees cannot remove these search engines, but they can set any one as the de
 -   0 (default) – The localhost IP address is shown.
 -   1 – The localhost IP address is hidden.
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-provisionfavorites"></a>**Browser/ProvisionFavorites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines. 
+ 
+<p style="margin-left: 20px">URL can be specified as:
+
+- HTTP location: "SiteList"="http://localhost:8080/URLs.html"
+- Local network: "SiteList"="\\network\shares\URLs.html"
+- Local file: "SiteList"="file:///c:\\Users\\<user>\\Documents\\URLs.html"
+
+> [!Important]  
+> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+<p style="margin-left: 20px">If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
+
+<p style="margin-left: 20px">Data type is string.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 052c9a0190..ca7b98ecc5 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Camera
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 2eacb78000..b1c206e118 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Cellular
@@ -19,14 +20,45 @@ author: nickbrower
 ## Cellular policies  
 
 <!--StartPolicy-->
-<a href="" id="None"></a>**Cellular/ShowAppCellularAccessUI**  
+<a href="" id="cellular-showappcellularaccessui"></a>**Cellular/ShowAppCellularAccessUI**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Set Per-App Cellular Access UI Visibility*
+-   GP English name: *Set Per-App Cellular Access UI Visibility*
 -   GP name: *ShowAppCellularAccessUI*
+-   GP path: *Network/WWAN Service/WWAN UI Settings*
 -   GP ADMX file name: *wwansvc.admx*
 
 <!--EndADMX-->
@@ -41,3 +73,21 @@ Footnote:
 
 <!--EndPolicies-->
 
+<!--StartEAS-->
+## <a href="" id="eas"></a>Cellular policies that can be set using Exchange Active Sync (EAS)  
+
+-   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
+<!--EndEAS-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>Cellular policies supported by IoT Core  
+
+-   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
+<!--EndIoTCore-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Cellular policies supported by Microsoft Surface Hub  
+
+-   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 76654d609a..5ffa503ab6 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Connectivity
@@ -349,40 +350,133 @@ author: nickbrower
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**Connectivity/DiablePrintingOverHTTP**  
+<a href="" id="connectivity-diableprintingoverhttp"></a>**Connectivity/DiablePrintingOverHTTP**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off printing over HTTP*
+-   GP English name: *Turn off printing over HTTP*
 -   GP name: *DisableHTTPPrinting_2*
+-   GP path: *Internet Communication settings*
 -   GP ADMX file name: *ICM.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**  
+<a href="" id="connectivity-disabledownloadingofprintdriversoverhttp"></a>**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off downloading of print drivers over HTTP*
+-   GP English name: *Turn off downloading of print drivers over HTTP*
 -   GP name: *DisableWebPnPDownload_2*
+-   GP path: *Internet Communication settings*
 -   GP ADMX file name: *ICM.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**  
+<a href="" id="connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards"></a>**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off Internet download for Web publishing and online ordering wizards*
+-   GP English name: *Turn off Internet download for Web publishing and online ordering wizards*
 -   GP name: *ShellPreventWPWDownload_2*
+-   GP path: *Internet Communication settings*
 -   GP ADMX file name: *ICM.admx*
 
 <!--EndADMX-->
@@ -404,11 +498,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -419,23 +513,62 @@ This policy setting configures secure access to UNC paths.
 If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Hardened UNC Paths*
+-   GP English name: *Hardened UNC Paths*
 -   GP name: *Pol_HardenedPaths*
+-   GP path: *Network/Network Provider*
 -   GP ADMX file name: *networkprovider.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**  
+<a href="" id="connectivity-prohibitinstallationandconfigurationofnetworkbridge"></a>**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
+-   GP English name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
 -   GP name: *NC_AllowNetBridge_NLA*
+-   GP path: *Network/Network Connections*
 -   GP ADMX file name: *NetworkConnections.admx*
 
 <!--EndADMX-->
@@ -473,7 +606,11 @@ Footnote:
 -   [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)  
 -   [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)  
 -   [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)  
+-   [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp)  
+-   [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp)  
+-   [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)  
 -   [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)  
+-   [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge)  
 <!--EndIoTCore-->
 
 <!--StartSurfaceHub-->
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index cc99642fbc..e253febdf8 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - CredentialProviders
@@ -35,11 +36,11 @@ author: nickbrower
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -56,10 +57,18 @@ Note: The user's domain password will be cached in the system vault when using t
 To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on convenience PIN sign-in*
+-   GP English name: *Turn on convenience PIN sign-in*
 -   GP name: *AllowDomainPINLogon*
+-   GP path: *System/Logon*
 -   GP ADMX file name: *credentialproviders.admx*
 
 <!--EndADMX-->
@@ -81,11 +90,11 @@ ADMX Info:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -100,16 +109,24 @@ If you disable or don't configure this policy setting, a domain user can set up
 Note that the user's domain password will be cached in the system vault when using this feature.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off picture password sign-in*
+-   GP English name: *Turn off picture password sign-in*
 -   GP name: *BlockDomainPicturePassword*
+-   GP path: *System/Logon*
 -   GP ADMX file name: *credentialproviders.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="credentialproviders-enablewindowsautopilotresetcredentials"></a>**CredentialProviders/EnableWindowsAutoPilotResetCredentials**  
+<a href="" id="credentialproviders-disableautomaticredeploymentcredentials"></a>**CredentialProviders/DisableAutomaticReDeploymentCredentials**  
 
 <!--StartSKU-->
 <table>
@@ -135,11 +152,12 @@ ADMX Info:
 
 <!--EndSKU-->
 <!--StartDescription-->
-Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device.
+Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
 
-The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students.
+The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students.
 
-Default value is 0.
+- 0 - Enable the visibility of the credentials for Windows 10 Automatic ReDeployment
+- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment
 
 <!--EndDescription-->
 <!--EndPolicy-->
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index e51c7be1c8..15d68cf69e 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - CredentialsUI
@@ -34,10 +35,10 @@ author: nickbrower
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
@@ -56,10 +57,18 @@ By default, the password reveal button is displayed after a user types a passwor
 The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not display the password reveal button*
+-   GP English name: *Do not display the password reveal button*
 -   GP name: *DisablePasswordReveal*
+-   GP path: *Windows Components/Credential User Interface*
 -   GP ADMX file name: *credui.admx*
 
 <!--EndADMX-->
@@ -80,10 +89,10 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
@@ -98,10 +107,18 @@ If you enable this policy setting, all local administrator accounts on the PC wi
 If you disable this policy setting, users will always be required to type a user name and password to elevate.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enumerate administrator accounts on elevation*
+-   GP English name: *Enumerate administrator accounts on elevation*
 -   GP name: *EnumerateAdministrators*
+-   GP path: *Windows Components/Credential User Interface*
 -   GP ADMX file name: *credui.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index b010cfdbb9..eef7cdeba4 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Cryptography
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 418361ef03..edba750722 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - DataProtection
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 54687bcb5c..a8724cc2f6 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - DataUsage
@@ -33,9 +34,9 @@ author: nickbrower
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@@ -58,10 +59,18 @@ If this policy setting is enabled, a drop-down list box presenting possible cost
 If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Set 3G Cost*
+-   GP English name: *Set 3G Cost*
 -   GP name: *SetCost3G*
+-   GP path: *Network/WWAN Service/WWAN Media Cost*
 -   GP ADMX file name: *wwansvc.admx*
 
 <!--EndADMX-->
@@ -81,9 +90,9 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@@ -106,10 +115,18 @@ If this policy setting is enabled, a drop-down list box presenting possible cost
 If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Set 4G Cost*
+-   GP English name: *Set 4G Cost*
 -   GP name: *SetCost4G*
+-   GP path: *Network/WWAN Service/WWAN Media Cost*
 -   GP ADMX file name: *wwansvc.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 9fdbbe8095..81e87eb957 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Defender
@@ -686,7 +687,7 @@ Value type is string.
 
 <p style="margin-left: 20px">If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. 
 
-p<p style="margin-left: 20px">For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
+<p style="margin-left: 20px">For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
       
 > [!Note]  
 > This feature requires the "Join Microsoft MAPS" setting enabled in order to function.  
@@ -739,6 +740,74 @@ p<p style="margin-left: 20px">For more information about specific values that ar
 > [!Note]  
 > This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-controlledfolderaccessallowedapplications"></a>**Defender/ControlledFolderAccessAllowedApplications**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode &#xF000; as the substring separator.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-controlledfolderaccessprotectedfolders"></a>**Defender/ControlledFolderAccessProtectedFolders**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode &#xF000; as the substring separator.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -781,7 +850,7 @@ p<p style="margin-left: 20px">For more information about specific values that ar
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="defender-enableguardmyfolders"></a>**Defender/EnableGuardMyFolders**  
+<a href="" id="defender-enablecontrolledfolderaccess"></a>**Defender/EnableControlledFolderAccess**  
 
 <!--StartSKU-->
 <table>
@@ -808,13 +877,13 @@ p<p style="margin-left: 20px">For more information about specific values that ar
 <!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
+> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders  and changed to EnableControlledFolderAccess.
 
 <p style="margin-left: 20px">Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.  
 
-- 0 (default) - Off
-- 1 - Audit mode
-- 2 - Enforcement mode
+- 0 (default) - Disabled
+- 1 - Enabled
+- 2 - Audit Mode
 
 <!--EndDescription-->
 <!--EndPolicy-->
@@ -973,74 +1042,6 @@ p<p style="margin-left: 20px">For more information about specific values that ar
  
 <p style="margin-left: 20px">Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
 
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-guardedfoldersallowedapplications"></a>**Defender/GuardedFoldersAllowedApplications**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode &#xF000; as the substring separator.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-guardedfolderslist"></a>**Defender/GuardedFoldersList**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode &#xF000; as the substring separator.
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index bcd687b62f..e352718a5d 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - DeliveryOptimization
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 1a2b0575d1..8a3b89d0f5 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Desktop
@@ -34,10 +35,10 @@ author: nickbrower
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
@@ -52,10 +53,18 @@ By default, a user can change the location of their individual profile folders l
 If you enable this setting, users are unable to type a new location in the Target box.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prohibit User from manually redirecting Profile Folders*
+-   GP English name: *Prohibit User from manually redirecting Profile Folders*
 -   GP name: *DisablePersonalDirChange*
+-   GP path: *Desktop*
 -   GP ADMX file name: *desktop.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index a33fac0efa..df77a218e7 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - DeviceGuard
@@ -142,6 +143,6 @@ Footnote:
 <!--StartSurfaceHub-->
 ## <a href="" id="surfacehubpolicies"></a>DeviceGuard policies supported by Microsoft Surface Hub  
 
--   [DeviceGuard/AllowKernelControlFlowGuard](#None)  
+-   [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)  
 <!--EndSurfaceHub-->
 
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 6fe4218008..4b04c4567d 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - DeviceInstallation
@@ -34,10 +35,10 @@ author: nickbrower
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
@@ -52,10 +53,18 @@ If you enable this policy setting, Windows is prevented from installing a device
 If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent installation of devices that match any of these device IDs*
+-   GP English name: *Prevent installation of devices that match any of these device IDs*
 -   GP name: *DeviceInstall_IDs_Deny*
+-   GP path: *System/Device Installation/Device Installation Restrictions*
 -   GP ADMX file name: *deviceinstallation.admx*
 
 <!--EndADMX-->
@@ -76,10 +85,10 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
@@ -94,10 +103,18 @@ If you enable this policy setting, Windows is prevented from installing or updat
 If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent installation of devices using drivers that match these device setup classes*
+-   GP English name: *Prevent installation of devices using drivers that match these device setup classes*
 -   GP name: *DeviceInstall_Classes_Deny*
+-   GP path: *System/Device Installation/Device Installation Restrictions*
 -   GP ADMX file name: *deviceinstallation.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 6aedca4af1..dcfc34f488 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - DeviceLock
@@ -738,13 +739,13 @@ The number of authentication failures allowed before the device will be wiped. A
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -757,10 +758,18 @@ By default, users can enable a slide show that will run after they lock the mach
 If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent enabling lock screen slide show*
+-   GP English name: *Prevent enabling lock screen slide show*
 -   GP name: *CPL_Personalization_NoLockScreenSlideshow*
+-   GP path: *Control Panel/Personalization*
 -   GP ADMX file name: *ControlPanelDisplay.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 142be5ef59..7af8189ba0 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Display
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
new file mode 100644
index 0000000000..6be666c341
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -0,0 +1,133 @@
+---
+title: Policy CSP - Education
+description: Policy CSP - Education
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/30/2017
+---
+
+# Policy CSP - Education
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Education policies  
+
+<!--StartPolicy-->
+<a href="" id="education-defaultprintername"></a>**Education/DefaultPrinterName**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer. 
+
+The policy value is expected to be the name (network host name) of an installed printer.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="education-preventaddingnewprinters"></a>**Education/PreventAddingNewPrinters**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings.
+
+The following list shows the supported values:
+
+-   0 (default) – Allow user installation.
+-   1 – Prevent user installation.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="education-printernames"></a>**Education/PrinterNames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names).
+
+The policy value is expected to be a ```&#xF000;``` seperated list of printer names.  The OS will attempt to search and install the matching printer driver for each listed printer.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index 76c623cf52..c11c6d066d 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - EnterpriseCloudPrint
@@ -45,7 +46,7 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.  This policy must target ./User, otherwise it fails.
 
 <p style="margin-left: 20px">The datatype is a string.
 
@@ -80,7 +81,7 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
 
 <p style="margin-left: 20px">The datatype is a string.
 
@@ -115,7 +116,7 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
 
 <p style="margin-left: 20px">The datatype is a string. 
 
@@ -150,7 +151,7 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
 
 <p style="margin-left: 20px">The datatype is a string.
 
@@ -185,7 +186,7 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
 
 <p style="margin-left: 20px">The datatype is an integer. 
 
@@ -220,7 +221,7 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
 
 <p style="margin-left: 20px">The datatype is a string.
 
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 9420ab52aa..98c03c6579 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - ErrorReporting
@@ -34,12 +35,12 @@ author: nickbrower
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -62,10 +63,18 @@ If you enable this policy setting, you can add specific event types to a list by
 If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Customize consent settings*
+-   GP English name: *Customize consent settings*
 -   GP name: *WerConsentCustomize_2*
+-   GP path: *Windows Components/Windows Error Reporting/Consent*
 -   GP ADMX file name: *ErrorReporting.admx*
 
 <!--EndADMX-->
@@ -86,12 +95,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -104,10 +113,18 @@ If you enable this policy setting, Windows Error Reporting does not send any pro
 If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disable Windows Error Reporting*
+-   GP English name: *Disable Windows Error Reporting*
 -   GP name: *WerDisable_2*
+-   GP path: *Windows Components/Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*
 
 <!--EndADMX-->
@@ -128,12 +145,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -150,10 +167,18 @@ If you do not configure this policy setting, users can change this setting in Co
 See also the Configure Error Reporting policy setting.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Display Error Notification*
+-   GP English name: *Display Error Notification*
 -   GP name: *PCH_ShowUI*
+-   GP path: *Windows Components/Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*
 
 <!--EndADMX-->
@@ -174,12 +199,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -192,10 +217,18 @@ If you enable this policy setting, any additional data requests from Microsoft i
 If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not send additional data*
+-   GP English name: *Do not send additional data*
 -   GP name: *WerNoSecondLevelData_2*
+-   GP path: *Windows Components/Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*
 
 <!--EndADMX-->
@@ -216,12 +249,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -234,10 +267,18 @@ If you enable this policy setting, Windows Error Reporting does not display any
 If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent display of the user interface for critical errors*
+-   GP English name: *Prevent display of the user interface for critical errors*
 -   GP name: *WerDoNotShowUI*
+-   GP path: *Windows Components/Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index a7d3d8bcf3..a73f5c2b18 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - EventLogService
@@ -34,12 +35,12 @@ author: nickbrower
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -54,10 +55,18 @@ If you disable or do not configure this policy setting and a log file reaches it
 Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Control Event Log behavior when the log file reaches its maximum size*
+-   GP English name: *Control Event Log behavior when the log file reaches its maximum size*
 -   GP name: *Channel_Log_Retention_1*
+-   GP path: *Windows Components/Event Log Service/Application*
 -   GP ADMX file name: *eventlog.admx*
 
 <!--EndADMX-->
@@ -78,12 +87,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -96,10 +105,18 @@ If you enable this policy setting, you can configure the maximum log file size t
 If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the maximum log file size (KB)*
+-   GP English name: *Specify the maximum log file size (KB)*
 -   GP name: *Channel_LogMaxSize_1*
+-   GP path: *Windows Components/Event Log Service/Application*
 -   GP ADMX file name: *eventlog.admx*
 
 <!--EndADMX-->
@@ -120,12 +137,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -138,10 +155,18 @@ If you enable this policy setting, you can configure the maximum log file size t
 If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the maximum log file size (KB)*
+-   GP English name: *Specify the maximum log file size (KB)*
 -   GP name: *Channel_LogMaxSize_2*
+-   GP path: *Windows Components/Event Log Service/Security*
 -   GP ADMX file name: *eventlog.admx*
 
 <!--EndADMX-->
@@ -162,12 +187,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -180,10 +205,18 @@ If you enable this policy setting, you can configure the maximum log file size t
 If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the maximum log file size (KB)*
+-   GP English name: *Specify the maximum log file size (KB)*
 -   GP name: *Channel_LogMaxSize_4*
+-   GP path: *Windows Components/Event Log Service/System*
 -   GP ADMX file name: *eventlog.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index d0a5edf221..b5e7a8bfe2 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Experience
@@ -143,6 +144,46 @@ author: nickbrower
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowfindmydevice"></a>**Experience/AllowFindMyDevice**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy turns on Find My Device.
+
+<p style="margin-left: 20px">When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
+
+<p style="margin-left: 20px">When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
new file mode 100644
index 0000000000..292dfa31bc
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -0,0 +1,89 @@
+---
+title: Policy CSP - ExploitGuard
+description: Policy CSP - ExploitGuard
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/30/2017
+---
+
+# Policy CSP - ExploitGuard
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## ExploitGuard policies  
+
+<!--StartPolicy-->
+<a href="" id="exploitguard-exploitprotectionsettings"></a>**ExploitGuard/ExploitProtectionSettings**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
+
+<p style="margin-left: 20px">The system settings require a reboot; the application settings do not require a reboot.
+
+<p style="margin-left: 20px">Here is an example:
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+<SyncML xmlns="SYNCML:SYNCML1.1">
+  <SyncBody>
+    <Replace>
+      <CmdID>$CmdId$</CmdID>
+      <Item>
+        <Meta>
+          <Format>chr</Format>
+          <Type>text/plain</Type>
+       </Meta>
+        <Target>
+          <LocURI>./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings</LocURI>
+        </Target>
+        <Data><![CDATA[<?xml version="1.0" encoding="UTF-8"?><MitigationPolicy><SystemConfig><SEHOP Audit="true" /></SystemConfig><AppConfig Executable="iexplore.exe"><ImageLoad AuditImageLoad="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="wordpad.exe"><DynamicCode Audit="true" /><SignedBinaries Audit="true" AuditStoreSigned="false" /><ImageLoad AuditImageLoad="true"  /><ChildProcess  Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="notepad.exe"><DynamicCode Audit="true" /><SignedBinaries Audit="true" AuditStoreSigned="false" /><ImageLoad AuditImageLoad="true" /><ChildProcess Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="outlook.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="winword.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="excel.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="powerpnt.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="AcroRd32.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="Acrobat.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="fltldr.exe"><DynamicCode Audit="true" /><ImageLoad AuditImageLoad="true" /><ChildProcess Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="RuntimeBroker.exe"><ImageLoad AuditImageLoad="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="SearchIndexer.exe"><DynamicCode Audit="true" /><SignedBinaries Audit="true" AuditStoreSigned="false" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="java.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="javaws.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="javaw.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="EpSelfhostV1.exe"><DynamicCode Audit="true" /><ImageLoad AuditImageLoad="true" /><ChildProcess Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig></MitigationPolicy>]]></Data>
+      </Item>
+    </Replace>
+    <Final/>
+  </SyncBody>
+</SyncML>
+
+```
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 65d798cab5..f6fc32cc9f 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/31/2017
 ---
 
 # Policy CSP - Games
@@ -33,20 +34,24 @@ author: nickbrower
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Placeholder only. Currently not supported.
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer.
 
+- 0 - Not Allowed
+- 1 (default) - Allowed
+
+<p style="margin-left: 20px">This policy can only be turned off in Windows 10 Education and Enterprise editions.
 <!--EndDescription-->
 <!--EndPolicy-->
 <hr/>
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 096bb1b61b..7be92bcfc1 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - InternetExplorer
@@ -33,13 +34,13 @@ author: nickbrower
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -52,10 +53,18 @@ If you enable this policy setting, the user can add and remove search providers,
 If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Add a specific list of search providers to the user's list of search providers*
+-   GP English name: *Add a specific list of search providers to the user's list of search providers*
 -   GP name: *AddSearchProvider*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -75,13 +84,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -94,10 +103,18 @@ If you enable this policy setting, ActiveX Filtering is enabled by default for t
 If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on ActiveX Filtering*
+-   GP English name: *Turn on ActiveX Filtering*
 -   GP name: *TurnOnActiveXFiltering*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -117,13 +134,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -142,49 +159,150 @@ Value - A number indicating whether Internet Explorer should deny or allow the a
 If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Add-on List*
+-   GP English name: *Add-on List*
 -   GP name: *AddonManagement_AddOnList*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/AllowAutoComplete**  
+<a href="" id="internetexplorer-allowautocomplete"></a>**InternetExplorer/AllowAutoComplete**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on the auto-complete feature for user names and passwords on forms*
+-   GP English name: *Turn on the auto-complete feature for user names and passwords on forms*
 -   GP name: *RestrictFormSuggestPW*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/AllowCertificateAddressMismatchWarning**  
+<a href="" id="internetexplorer-allowcertificateaddressmismatchwarning"></a>**InternetExplorer/AllowCertificateAddressMismatchWarning**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on certificate address mismatch warning*
+-   GP English name: *Turn on certificate address mismatch warning*
 -   GP name: *IZ_PolicyWarnCertMismatch*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/AllowDeletingBrowsingHistoryOnExit**  
+<a href="" id="internetexplorer-allowdeletingbrowsinghistoryonexit"></a>**InternetExplorer/AllowDeletingBrowsingHistoryOnExit**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow deleting browsing history on exit*
+-   GP English name: *Allow deleting browsing history on exit*
 -   GP name: *DBHDisableDeleteOnExit*
+-   GP path: *Windows Components/Internet Explorer/Delete Browsing History*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -204,13 +322,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -225,10 +343,18 @@ If you disable this policy setting, Enhanced Protected Mode will be turned off.
 If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on Enhanced Protected Mode*
+-   GP English name: *Turn on Enhanced Protected Mode*
 -   GP name: *Advanced_EnableEnhancedProtectedMode*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -248,13 +374,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -267,10 +393,18 @@ If you turn this setting on, users can see and use the Enterprise Mode option fr
 If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Let users turn on and use Enterprise Mode from the Tools menu*
+-   GP English name: *Let users turn on and use Enterprise Mode from the Tools menu*
 -   GP name: *EnterpriseModeEnable*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -290,13 +424,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -309,23 +443,62 @@ If you enable this policy setting, Internet Explorer downloads the website list
 If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Use the Enterprise Mode IE website list*
+-   GP English name: *Use the Enterprise Mode IE website list*
 -   GP name: *EnterpriseModeSiteList*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/AllowFallbackToSSL3**  
+<a href="" id="internetexplorer-allowfallbacktossl3"></a>**InternetExplorer/AllowFallbackToSSL3**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow fallback to SSL 3.0 (Internet Explorer)*
+-   GP English name: *Allow fallback to SSL 3.0 (Internet Explorer)*
 -   GP name: *Advanced_EnableSSL3Fallback*
+-   GP path: *Windows Components/Internet Explorer/Security Features*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -345,13 +518,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -364,10 +537,18 @@ If you enable this policy setting, the user can add and remove sites from the li
 If you disable or do not configure this policy setting, the user can add and remove sites from the list.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Use Policy List of Internet Explorer 7 sites*
+-   GP English name: *Use Policy List of Internet Explorer 7 sites*
 -   GP name: *CompatView_UsePolicyList*
+-   GP path: *Windows Components/Internet Explorer/Compatibility View*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -387,13 +568,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -408,10 +589,18 @@ If you disable this policy setting, Internet Explorer uses an Internet Explorer
 If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on Internet Explorer Standards Mode for local intranet*
+-   GP English name: *Turn on Internet Explorer Standards Mode for local intranet*
 -   GP name: *CompatView_IntranetSites*
+-   GP path: *Windows Components/Internet Explorer/Compatibility View*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -431,13 +620,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -456,10 +645,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Internet Zone Template*
+-   GP English name: *Internet Zone Template*
 -   GP name: *IZ_PolicyInternetZoneTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -479,13 +676,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -504,10 +701,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Intranet Zone Template*
+-   GP English name: *Intranet Zone Template*
 -   GP name: *IZ_PolicyIntranetZoneTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -527,13 +732,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -552,10 +757,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Local Machine Zone Template*
+-   GP English name: *Local Machine Zone Template*
 -   GP name: *IZ_PolicyLocalMachineZoneTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -575,13 +788,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -600,10 +813,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Locked-Down Internet Zone Template*
+-   GP English name: *Locked-Down Internet Zone Template*
 -   GP name: *IZ_PolicyInternetZoneLockdownTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -623,13 +844,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -648,10 +869,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Locked-Down Intranet Zone Template*
+-   GP English name: *Locked-Down Intranet Zone Template*
 -   GP name: *IZ_PolicyIntranetZoneLockdownTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -671,13 +900,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -696,10 +925,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Locked-Down Local Machine Zone Template*
+-   GP English name: *Locked-Down Local Machine Zone Template*
 -   GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -719,13 +956,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -744,10 +981,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Locked-Down Restricted Sites Zone Template*
+-   GP English name: *Locked-Down Restricted Sites Zone Template*
 -   GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -767,13 +1012,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -786,10 +1031,18 @@ If you enable this policy setting, Internet Explorer goes directly to an intrane
 If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Go to an intranet site for a one-word entry in the Address bar*
+-   GP English name: *Go to an intranet site for a one-word entry in the Address bar*
 -   GP name: *UseIntranetSiteForOneWordEntry*
+-   GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -809,13 +1062,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -834,23 +1087,62 @@ Value - A number indicating the zone with which this site should be associated f
 If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Site to Zone Assignment List*
+-   GP English name: *Site to Zone Assignment List*
 -   GP name: *IZ_Zonemaps*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid**  
+<a href="" id="internetexplorer-allowsoftwarewhensignatureisinvalid"></a>**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow software to run or install even if the signature is invalid*
+-   GP English name: *Allow software to run or install even if the signature is invalid*
 -   GP name: *Advanced_InvalidSignatureBlock*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -870,13 +1162,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -891,10 +1183,18 @@ If you disable this policy setting, the entry points and functionality associate
 If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on Suggested Sites*
+-   GP English name: *Turn on Suggested Sites*
 -   GP name: *EnableSuggestedSites*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -914,13 +1214,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -939,10 +1239,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Trusted Sites Zone Template*
+-   GP English name: *Trusted Sites Zone Template*
 -   GP name: *IZ_PolicyTrustedSitesZoneTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -962,13 +1270,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -987,10 +1295,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Locked-Down Trusted Sites Zone Template*
+-   GP English name: *Locked-Down Trusted Sites Zone Template*
 -   GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1010,13 +1326,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1035,49 +1351,150 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Restricted Sites Zone Template*
+-   GP English name: *Restricted Sites Zone Template*
 -   GP name: *IZ_PolicyRestrictedSitesZoneTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/CheckServerCertificateRevocation**  
+<a href="" id="internetexplorer-checkservercertificaterevocation"></a>**InternetExplorer/CheckServerCertificateRevocation**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Check for server certificate revocation*
+-   GP English name: *Check for server certificate revocation*
 -   GP name: *Advanced_CertificateRevocation*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/CheckSignaturesOnDownloadedPrograms**  
+<a href="" id="internetexplorer-checksignaturesondownloadedprograms"></a>**InternetExplorer/CheckSignaturesOnDownloadedPrograms**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Check for signatures on downloaded programs*
+-   GP English name: *Check for signatures on downloaded programs*
 -   GP name: *Advanced_DownloadSignatures*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses**  
+<a href="" id="internetexplorer-consistentmimehandlinginternetexplorerprocesses"></a>**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Internet Explorer Processes*
+-   GP English name: *Internet Explorer Processes*
 -   GP name: *IESF_PolicyExplorerProcesses_2*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Binary Behavior Security Restriction*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1097,13 +1514,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1118,23 +1535,62 @@ If you disable, or do not configure this policy setting, Flash is turned on for
 Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects*
+-   GP English name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects*
 -   GP name: *DisableFlashInIE*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/DisableBlockingOfOutdatedActiveXControls**  
+<a href="" id="internetexplorer-disableblockingofoutdatedactivexcontrols"></a>**InternetExplorer/DisableBlockingOfOutdatedActiveXControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
+-   GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
 -   GP name: *VerMgmtDisable*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1154,13 +1610,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1173,10 +1629,18 @@ If you enable this policy setting, SmartScreen Filter warnings block the user.
 If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent bypassing SmartScreen Filter warnings*
+-   GP English name: *Prevent bypassing SmartScreen Filter warnings*
 -   GP name: *DisableSafetyFilterOverride*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1196,13 +1660,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1215,36 +1679,106 @@ If you enable this policy setting, SmartScreen Filter warnings block the user.
 If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet*
+-   GP English name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet*
 -   GP name: *DisableSafetyFilterOverrideForAppRepUnknown*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/DisableConfiguringHistory**  
+<a href="" id="internetexplorer-disableconfiguringhistory"></a>**InternetExplorer/DisableConfiguringHistory**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disable "Configuring History"*
+-   GP English name: *Disable "Configuring History"*
 -   GP name: *RestrictHistory*
+-   GP path: *Windows Components/Internet Explorer/Delete Browsing History*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/DisableCrashDetection**  
+<a href="" id="internetexplorer-disablecrashdetection"></a>**InternetExplorer/DisableCrashDetection**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off Crash Detection*
+-   GP English name: *Turn off Crash Detection*
 -   GP name: *AddonManagement_RestrictCrashDetection*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1264,13 +1798,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1285,23 +1819,62 @@ If you disable this policy setting, the user must participate in the CEIP, and t
 If you do not configure this policy setting, the user can choose to participate in the CEIP.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent participation in the Customer Experience Improvement Program*
+-   GP English name: *Prevent participation in the Customer Experience Improvement Program*
 -   GP name: *SQM_DisableCEIP*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/DisableDeletingUserVisitedWebsites**  
+<a href="" id="internetexplorer-disabledeletinguservisitedwebsites"></a>**InternetExplorer/DisableDeletingUserVisitedWebsites**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent deleting websites that the user has visited*
+-   GP English name: *Prevent deleting websites that the user has visited*
 -   GP name: *DBHDisableDeleteHistory*
+-   GP path: *Windows Components/Internet Explorer/Delete Browsing History*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1321,13 +1894,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1340,10 +1913,18 @@ If you enable this policy setting, the user cannot set the Feed Sync Engine to d
 If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent downloading of enclosures*
+-   GP English name: *Prevent downloading of enclosures*
 -   GP name: *Disable_Downloading_of_Enclosures*
+-   GP path: *Windows Components/RSS Feeds*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1363,13 +1944,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1384,10 +1965,18 @@ If you disable or do not configure this policy setting, the user can select whic
 Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off encryption support*
+-   GP English name: *Turn off encryption support*
 -   GP name: *Advanced_SetWinInetProtocols*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1407,13 +1996,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1430,10 +2019,18 @@ Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not avail
 If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent running First Run wizard*
+-   GP English name: *Prevent running First Run wizard*
 -   GP name: *NoFirstRunCustomise*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1453,13 +2050,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1476,10 +2073,18 @@ If you disable this policy setting, flip ahead with page prediction is turned on
 If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off the flip ahead with page prediction feature*
+-   GP English name: *Turn off the flip ahead with page prediction feature*
 -   GP name: *Advanced_DisableFlipAhead*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1499,13 +2104,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1518,49 +2123,150 @@ If you enable this policy setting, a user cannot set a custom default home page.
 If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disable changing home page settings*
+-   GP English name: *Disable changing home page settings*
 -   GP name: *RestrictHomePage*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/DisableIgnoringCertificateErrors**  
+<a href="" id="internetexplorer-disableignoringcertificateerrors"></a>**InternetExplorer/DisableIgnoringCertificateErrors**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent ignoring certificate errors*
+-   GP English name: *Prevent ignoring certificate errors*
 -   GP name: *NoCertError*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/DisableInPrivateBrowsing**  
+<a href="" id="internetexplorer-disableinprivatebrowsing"></a>**InternetExplorer/DisableInPrivateBrowsing**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off InPrivate Browsing*
+-   GP English name: *Turn off InPrivate Browsing*
 -   GP name: *DisableInPrivateBrowsing*
+-   GP path: *Windows Components/Internet Explorer/Privacy*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/DisableProcessesInEnhancedProtectedMode**  
+<a href="" id="internetexplorer-disableprocessesinenhancedprotectedmode"></a>**InternetExplorer/DisableProcessesInEnhancedProtectedMode**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows*
+-   GP English name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows*
 -   GP name: *Advanced_EnableEnhancedProtectedMode64Bit*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1580,13 +2286,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1599,10 +2305,18 @@ If you enable this policy setting, the user will not be able to configure proxy
 If you disable or do not configure this policy setting, the user can configure proxy settings.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent changing proxy settings*
+-   GP English name: *Prevent changing proxy settings*
 -   GP name: *RestrictProxy*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1622,13 +2336,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1641,10 +2355,18 @@ If you enable this policy setting, the user cannot change the default search pro
 If you disable or do not configure this policy setting, the user can change the default search provider.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent changing the default search provider*
+-   GP English name: *Prevent changing the default search provider*
 -   GP name: *NoSearchProvider*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1664,13 +2386,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1685,23 +2407,62 @@ If you disable or do not configure this policy setting, the user can add seconda
 Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disable changing secondary home page settings*
+-   GP English name: *Disable changing secondary home page settings*
 -   GP name: *SecondaryHomePages*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/DisableSecuritySettingsCheck**  
+<a href="" id="internetexplorer-disablesecuritysettingscheck"></a>**InternetExplorer/DisableSecuritySettingsCheck**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off the Security Settings Check feature*
+-   GP English name: *Turn off the Security Settings Check feature*
 -   GP name: *Disable_Security_Settings_Check*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1721,13 +2482,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1742,23 +2503,62 @@ If you disable this policy or do not configure it, Internet Explorer checks ever
 This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disable Periodic Check for Internet Explorer software updates*
+-   GP English name: *Disable Periodic Check for Internet Explorer software updates*
 -   GP name: *NoUpdateCheck*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode**  
+<a href="" id="internetexplorer-donotallowactivexcontrolsinprotectedmode"></a>**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled*
+-   GP English name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled*
 -   GP name: *Advanced_DisableEPMCompat*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1778,13 +2578,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1803,10 +2603,18 @@ Note:  The "Disable the Security page" policy (located in \User Configuration\Ad
 Also, see the "Security zones: Use only machine settings" policy.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Security Zones: Do not allow users to add/delete sites*
+-   GP English name: *Security Zones: Do not allow users to add/delete sites*
 -   GP name: *Security_zones_map_edit*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1826,13 +2634,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1851,10 +2659,18 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Adm
 Also, see the "Security zones: Use only machine settings" policy.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Security Zones: Do not allow users to change policies*
+-   GP English name: *Security Zones: Do not allow users to change policies*
 -   GP name: *Security_options_edit*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1874,13 +2690,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1895,10 +2711,18 @@ If you disable or don't configure this policy setting, Internet Explorer continu
 For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
+-   GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
 -   GP name: *VerMgmtDisable*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1918,13 +2742,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1943,10 +2767,18 @@ If you disable or don't configure this policy setting, the list is deleted and I
 For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains*
+-   GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains*
 -   GP name: *VerMgmtDomainAllowlist*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1966,13 +2798,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -1987,10 +2819,18 @@ If you disable this policy setting, local sites which are not explicitly mapped
 If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Intranet Sites: Include all local (intranet) sites not listed in other zones*
+-   GP English name: *Intranet Sites: Include all local (intranet) sites not listed in other zones*
 -   GP name: *IZ_IncludeUnspecifiedLocalSites*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2010,13 +2850,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2031,10 +2871,18 @@ If you disable this policy setting, network paths are not necessarily mapped int
 If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Intranet Sites: Include all network paths (UNCs)*
+-   GP English name: *Intranet Sites: Include all network paths (UNCs)*
 -   GP name: *IZ_UNCAsIntranet*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2054,13 +2902,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2075,10 +2923,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
 If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Access data sources across domains*
+-   GP English name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2098,13 +2954,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2119,10 +2975,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
+-   GP English name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2142,13 +3006,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2161,36 +3025,106 @@ If you enable this setting, users will receive a file download dialog for automa
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
+-   GP English name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneAllowCopyPasteViaScript**  
+<a href="" id="internetexplorer-internetzoneallowcopypasteviascript"></a>**InternetExplorer/InternetZoneAllowCopyPasteViaScript**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow cut, copy or paste operations from the clipboard via script*
+-   GP English name: *Allow cut, copy or paste operations from the clipboard via script*
 -   GP name: *IZ_PolicyAllowPasteViaScript_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles**  
+<a href="" id="internetexplorer-internetzoneallowdraganddropcopyandpastefiles"></a>**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow drag and drop or copy and paste files*
+-   GP English name: *Allow drag and drop or copy and paste files*
 -   GP name: *IZ_PolicyDropOrPasteFiles_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2210,13 +3144,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2231,10 +3165,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow font downloads*
+-   GP English name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2254,13 +3196,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2275,23 +3217,62 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneAllowLoadingOfXAMLFilesWRONG**  
+<a href="" id="internetexplorer-internetzoneallowloadingofxamlfiles"></a>**InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow loading of XAML files*
+-   GP English name: *Allow loading of XAML files*
 -   GP name: *IZ_Policy_XAML_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2311,13 +3292,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2332,62 +3313,194 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls**  
+<a href="" id="internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols"></a>**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow only approved domains to use ActiveX controls without prompt*
--   GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Intranet*
+-   GP English name: *Allow only approved domains to use ActiveX controls without prompt*
+-   GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**  
+<a href="" id="internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol"></a>**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow only approved domains to use the TDC ActiveX control*
--   GP name: *IZ_PolicyAllowTDCControl_Both_LocalMachine*
+-   GP English name: *Allow only approved domains to use the TDC ActiveX control*
+-   GP name: *IZ_PolicyAllowTDCControl_Both_Internet*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneAllowScriptInitiatedWindows**  
+<a href="" id="internetexplorer-internetzoneallowscriptinitiatedwindows"></a>**InternetExplorer/InternetZoneAllowScriptInitiatedWindows**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow script-initiated windows without size or position constraints*
--   GP name: *IZ_PolicyWindowsRestrictionsURLaction_6*
+-   GP English name: *Allow script-initiated windows without size or position constraints*
+-   GP name: *IZ_PolicyWindowsRestrictionsURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls**  
+<a href="" id="internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols"></a>**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow scripting of Internet Explorer WebBrowser controls*
+-   GP English name: *Allow scripting of Internet Explorer WebBrowser controls*
 -   GP name: *IZ_Policy_WebBrowserControl_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2407,13 +3520,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2428,10 +3541,18 @@ If you disable this policy setting, the user cannot run scriptlets.
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow scriptlets*
+-   GP English name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2451,13 +3572,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2474,23 +3595,62 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
+-   GP English name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript**  
+<a href="" id="internetexplorer-internetzoneallowupdatestostatusbarviascript"></a>**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow updates to status bar via script*
+-   GP English name: *Allow updates to status bar via script*
 -   GP name: *IZ_Policy_ScriptStatusBar_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2510,13 +3670,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2531,140 +3691,414 @@ If you disable this policy setting, users cannot preserve information in the bro
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Userdata persistence*
+-   GP English name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1**  
+<a href="" id="internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols"></a>**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Don't run antimalware programs against ActiveX controls*
+-   GP English name: *Don't run antimalware programs against ActiveX controls*
 -   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2**  
+<a href="" id="internetexplorer-internetzonedownloadsignedactivexcontrols"></a>**InternetExplorer/InternetZoneDownloadSignedActiveXControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Don't run antimalware programs against ActiveX controls*
--   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3*
+-   GP English name: *Download signed ActiveX controls*
+-   GP name: *IZ_PolicyDownloadSignedActiveX_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneDownloadSignedActiveXControls**  
+<a href="" id="internetexplorer-internetzonedownloadunsignedactivexcontrols"></a>**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Download signed ActiveX controls*
--   GP name: *IZ_PolicyDownloadSignedActiveX_3*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls**  
-
-<!--StartDescription-->
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Download unsigned ActiveX controls*
+-   GP English name: *Download unsigned ActiveX controls*
 -   GP name: *IZ_PolicyDownloadUnsignedActiveX_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter**  
+<a href="" id="internetexplorer-internetzoneenablecrosssitescriptingfilter"></a>**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on Cross-Site Scripting Filter*
--   GP name: *IZ_PolicyTurnOnXSSFilter_Both_LocalMachine*
+-   GP English name: *Turn on Cross-Site Scripting Filter*
+-   GP name: *IZ_PolicyTurnOnXSSFilter_Both_Internet*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**  
+<a href="" id="internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows"></a>**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable dragging of content from different domains across windows*
+-   GP English name: *Enable dragging of content from different domains across windows*
 -   GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**  
+<a href="" id="internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows"></a>**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable dragging of content from different domains within a window*
+-   GP English name: *Enable dragging of content from different domains within a window*
 -   GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneEnableMIMESniffing**  
+<a href="" id="internetexplorer-internetzoneenablemimesniffing"></a>**InternetExplorer/InternetZoneEnableMIMESniffing**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable MIME Sniffing*
+-   GP English name: *Enable MIME Sniffing*
 -   GP name: *IZ_PolicyMimeSniffingURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneEnableProtectedMode**  
+<a href="" id="internetexplorer-internetzoneenableprotectedmode"></a>**InternetExplorer/InternetZoneEnableProtectedMode**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on Protected Mode*
--   GP name: *IZ_Policy_TurnOnProtectedMode_2*
+-   GP English name: *Turn on Protected Mode*
+-   GP name: *IZ_Policy_TurnOnProtectedMode_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer**  
+<a href="" id="internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver"></a>**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Include local path when user is uploading files to a server*
+-   GP English name: *Include local path when user is uploading files to a server*
 -   GP name: *IZ_Policy_LocalPathForUpload_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2684,13 +4118,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2707,75 +4141,179 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**  
+<a href="" id="internetexplorer-internetzoneinitializeandscriptactivexcontrolsnotmarkedsafe"></a>**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
--   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneJavaPermissionsWRONG1**  
+<a href="" id="internetexplorer-internetzonejavapermissions"></a>**InternetExplorer/InternetZoneJavaPermissions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Java permissions*
+-   GP English name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneJavaPermissionsWRONG2**  
+<a href="" id="internetexplorer-internetzonelaunchingapplicationsandfilesiniframe"></a>**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Java permissions*
--   GP name: *IZ_PolicyJavaPermissions_3*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME**  
-
-<!--StartDescription-->
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Launching applications and files in an IFRAME*
+-   GP English name: *Launching applications and files in an IFRAME*
 -   GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneLogonOptions**  
+<a href="" id="internetexplorer-internetzonelogonoptions"></a>**InternetExplorer/InternetZoneLogonOptions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Logon options*
+-   GP English name: *Logon options*
 -   GP name: *IZ_PolicyLogon_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2795,13 +4333,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2816,75 +4354,238 @@ If you disable this policy setting, users cannot open windows and frames to acce
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
+-   GP English name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode**  
+<a href="" id="internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode"></a>**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**  
+<a href="" id="internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode"></a>**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components signed with Authenticode*
 -   GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles**  
+<a href="" id="internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles"></a>**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Show security warning for potentially unsafe files*
+-   GP English name: *Show security warning for potentially unsafe files*
 -   GP name: *IZ_Policy_UnsafeFiles_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneUsePopupBlocker**  
+<a href="" id="internetexplorer-internetzoneusepopupblocker"></a>**InternetExplorer/InternetZoneUsePopupBlocker**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Use Pop-up Blocker*
+-   GP English name: *Use Pop-up Blocker*
 -   GP name: *IZ_PolicyBlockPopupWindows_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone**  
+<a href="" id="internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone"></a>**InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2904,13 +4605,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2925,10 +4626,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
 If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Access data sources across domains*
+-   GP English name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2948,13 +4657,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -2969,10 +4678,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
 If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
+-   GP English name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2992,13 +4709,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3011,10 +4728,18 @@ If you enable this setting, users will receive a file download dialog for automa
 If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
+-   GP English name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3034,13 +4759,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3055,10 +4780,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow font downloads*
+-   GP English name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3078,13 +4811,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3099,10 +4832,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3122,13 +4863,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3143,10 +4884,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3166,13 +4915,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3187,10 +4936,18 @@ If you disable this policy setting, the user cannot run scriptlets.
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow scriptlets*
+-   GP English name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3210,13 +4967,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3233,10 +4990,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
+-   GP English name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3256,13 +5021,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3277,10 +5042,62 @@ If you disable this policy setting, users cannot preserve information in the bro
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Userdata persistence*
+-   GP English name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols"></a>**InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP English name: *Don't run antimalware programs against ActiveX controls*
+-   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3300,13 +5117,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3323,10 +5140,106 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe"></a>**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzonejavapermissions"></a>**InternetExplorer/IntranetZoneJavaPermissions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP English name: *Java permissions*
+-   GP name: *IZ_PolicyJavaPermissions_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3346,13 +5259,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3367,10 +5280,18 @@ If you disable this policy setting, users cannot open windows and frames to acce
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
+-   GP English name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3390,13 +5311,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3411,10 +5332,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
 If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Access data sources across domains*
+-   GP English name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3434,13 +5363,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3455,10 +5384,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
 If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
+-   GP English name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3478,13 +5415,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3497,10 +5434,18 @@ If you enable this setting, users will receive a file download dialog for automa
 If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
+-   GP English name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3520,13 +5465,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3541,10 +5486,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow font downloads*
+-   GP English name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3564,13 +5517,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3585,10 +5538,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3608,13 +5569,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3629,10 +5590,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3652,13 +5621,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3673,10 +5642,18 @@ If you disable this policy setting, the user cannot run scriptlets.
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow scriptlets*
+-   GP English name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3696,13 +5673,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3719,10 +5696,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
+-   GP English name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3742,13 +5727,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3763,23 +5748,62 @@ If you disable this policy setting, users cannot preserve information in the bro
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Userdata persistence*
+-   GP English name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls**  
+<a href="" id="internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols"></a>**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Don't run antimalware programs against ActiveX controls*
+-   GP English name: *Don't run antimalware programs against ActiveX controls*
 -   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3799,13 +5823,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3822,23 +5846,62 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/LocalMachineZoneJavaPermissions**  
+<a href="" id="internetexplorer-localmachinezonejavapermissions"></a>**InternetExplorer/LocalMachineZoneJavaPermissions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Java permissions*
+-   GP English name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3858,13 +5921,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3879,10 +5942,18 @@ If you disable this policy setting, users cannot open windows and frames to acce
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
+-   GP English name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3902,13 +5973,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3923,10 +5994,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
 If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Access data sources across domains*
+-   GP English name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3946,13 +6025,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -3967,10 +6046,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
+-   GP English name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3990,13 +6077,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4009,10 +6096,18 @@ If you enable this setting, users will receive a file download dialog for automa
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
+-   GP English name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4032,13 +6127,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4053,10 +6148,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow font downloads*
+-   GP English name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4076,13 +6179,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4097,10 +6200,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4120,13 +6231,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4141,10 +6252,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4164,13 +6283,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4185,10 +6304,18 @@ If you disable this policy setting, the user cannot run scriptlets.
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow scriptlets*
+-   GP English name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4208,13 +6335,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4231,10 +6358,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
+-   GP English name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4254,13 +6389,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4275,10 +6410,18 @@ If you disable this policy setting, users cannot preserve information in the bro
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Userdata persistence*
+-   GP English name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4298,13 +6441,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4321,23 +6464,62 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/LockedDownInternetZoneJavaPermissions**  
+<a href="" id="internetexplorer-lockeddowninternetzonejavapermissions"></a>**InternetExplorer/LockedDownInternetZoneJavaPermissions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Java permissions*
+-   GP English name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4357,13 +6539,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4378,10 +6560,18 @@ If you disable this policy setting, users cannot open windows and frames to acce
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
+-   GP English name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4401,13 +6591,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4422,10 +6612,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
 If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Access data sources across domains*
+-   GP English name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4445,13 +6643,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4466,10 +6664,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
+-   GP English name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4489,13 +6695,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4508,10 +6714,18 @@ If you enable this setting, users will receive a file download dialog for automa
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
+-   GP English name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4531,13 +6745,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4552,10 +6766,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow font downloads*
+-   GP English name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4575,13 +6797,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4596,10 +6818,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4619,13 +6849,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4640,10 +6870,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4663,13 +6901,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4684,10 +6922,18 @@ If you disable this policy setting, the user cannot run scriptlets.
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow scriptlets*
+-   GP English name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4707,13 +6953,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4730,10 +6976,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
+-   GP English name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4753,13 +7007,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4774,10 +7028,18 @@ If you disable this policy setting, users cannot preserve information in the bro
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Userdata persistence*
+-   GP English name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4797,13 +7059,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4820,10 +7082,18 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4843,13 +7113,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4864,10 +7134,18 @@ If you disable this policy setting, users cannot open windows and frames to acce
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
+-   GP English name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4887,13 +7165,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4908,10 +7186,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
 If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Access data sources across domains*
+-   GP English name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4931,13 +7217,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4952,10 +7238,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
+-   GP English name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4975,13 +7269,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -4994,10 +7288,18 @@ If you enable this setting, users will receive a file download dialog for automa
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
+-   GP English name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5017,13 +7319,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5038,10 +7340,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow font downloads*
+-   GP English name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5061,13 +7371,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5082,10 +7392,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5105,13 +7423,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5126,10 +7444,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5149,13 +7475,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5170,10 +7496,18 @@ If you disable this policy setting, the user cannot run scriptlets.
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow scriptlets*
+-   GP English name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5193,13 +7527,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5216,10 +7550,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
+-   GP English name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5239,13 +7581,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5260,10 +7602,18 @@ If you disable this policy setting, users cannot preserve information in the bro
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Userdata persistence*
+-   GP English name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5283,13 +7633,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5306,23 +7656,62 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions**  
+<a href="" id="internetexplorer-lockeddownlocalmachinezonejavapermissions"></a>**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Java permissions*
+-   GP English name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5342,13 +7731,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5363,10 +7752,18 @@ If you disable this policy setting, users cannot open windows and frames to acce
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
+-   GP English name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5386,13 +7783,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5407,10 +7804,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
 If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Access data sources across domains*
+-   GP English name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5430,13 +7835,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5451,10 +7856,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
+-   GP English name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5474,13 +7887,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5493,10 +7906,18 @@ If you enable this setting, users will receive a file download dialog for automa
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
+-   GP English name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5516,13 +7937,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5537,10 +7958,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow font downloads*
+-   GP English name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5560,13 +7989,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5581,10 +8010,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5604,13 +8041,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5625,10 +8062,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5648,13 +8093,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5669,10 +8114,18 @@ If you disable this policy setting, the user cannot run scriptlets.
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow scriptlets*
+-   GP English name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5692,13 +8145,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5715,10 +8168,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
+-   GP English name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5738,13 +8199,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5759,10 +8220,18 @@ If you disable this policy setting, users cannot preserve information in the bro
 If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Userdata persistence*
+-   GP English name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5782,13 +8251,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5805,23 +8274,62 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions**  
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszonejavapermissions"></a>**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Java permissions*
+-   GP English name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5841,13 +8349,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5862,10 +8370,18 @@ If you disable this policy setting, users cannot open other windows and frames f
 If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
+-   GP English name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5885,13 +8401,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5906,10 +8422,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
 If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Access data sources across domains*
+-   GP English name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5929,13 +8453,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5950,10 +8474,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
+-   GP English name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5973,13 +8505,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -5992,10 +8524,18 @@ If you enable this setting, users will receive a file download dialog for automa
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
+-   GP English name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6015,13 +8555,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6036,10 +8576,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow font downloads*
+-   GP English name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6059,13 +8607,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6080,10 +8628,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6103,13 +8659,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6124,10 +8680,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6147,13 +8711,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6168,10 +8732,18 @@ If you disable this policy setting, the user cannot run scriptlets.
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow scriptlets*
+-   GP English name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6191,13 +8763,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6214,10 +8786,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
+-   GP English name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6237,13 +8817,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6258,10 +8838,18 @@ If you disable this policy setting, users cannot preserve information in the bro
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Userdata persistence*
+-   GP English name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6281,13 +8869,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6304,23 +8892,62 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions**  
+<a href="" id="internetexplorer-lockeddowntrustedsiteszonejavapermissions"></a>**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Java permissions*
+-   GP English name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6340,13 +8967,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6361,127 +8988,414 @@ If you disable this policy setting, users cannot open windows and frames to acce
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
+-   GP English name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses**  
+<a href="" id="internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses"></a>**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Internet Explorer Processes*
+-   GP English name: *Internet Explorer Processes*
 -   GP name: *IESF_PolicyExplorerProcesses_3*
+-   GP path: *Windows Components/Internet Explorer/Security Features/MK Protocol Security Restriction*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses**  
+<a href="" id="internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses"></a>**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Internet Explorer Processes*
+-   GP English name: *Internet Explorer Processes*
 -   GP name: *IESF_PolicyExplorerProcesses_6*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/NotificationBarInternetExplorerProcesses**  
+<a href="" id="internetexplorer-notificationbarinternetexplorerprocesses"></a>**InternetExplorer/NotificationBarInternetExplorerProcesses**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Internet Explorer Processes*
+-   GP English name: *Internet Explorer Processes*
 -   GP name: *IESF_PolicyExplorerProcesses_10*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Notification bar*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/PreventManagingSmartScreenFilter**  
+<a href="" id="internetexplorer-preventmanagingsmartscreenfilter"></a>**InternetExplorer/PreventManagingSmartScreenFilter**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Download signed ActiveX controls*
--   GP name: *IZ_PolicyDownloadSignedActiveX_1*
+-   GP English name: *Prevent managing SmartScreen Filter*
+-   GP name: *Disable_Managing_Safety_Filter_IE9*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/PreventPerUserInstallationOfActiveXControls**  
+<a href="" id="internetexplorer-preventperuserinstallationofactivexcontrols"></a>**InternetExplorer/PreventPerUserInstallationOfActiveXControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent per-user installation of ActiveX controls*
+-   GP English name: *Prevent per-user installation of ActiveX controls*
 -   GP name: *DisablePerUserActiveXInstall*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses**  
+<a href="" id="internetexplorer-protectionfromzoneelevationinternetexplorerprocesses"></a>**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *All Processes*
+-   GP English name: *All Processes*
 -   GP name: *IESF_PolicyAllProcesses_9*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls**  
+<a href="" id="internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols"></a>**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
+-   GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
 -   GP name: *VerMgmtDisableRunThisTime*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses**  
+<a href="" id="internetexplorer-restrictactivexinstallinternetexplorerprocesses"></a>**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *All Processes*
+-   GP English name: *All Processes*
 -   GP name: *IESF_PolicyAllProcesses_11*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses**  
+<a href="" id="internetexplorer-restrictfiledownloadinternetexplorerprocesses"></a>**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *All Processes*
+-   GP English name: *All Processes*
 -   GP name: *IESF_PolicyAllProcesses_12*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Restrict File Download*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6501,13 +9415,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6522,23 +9436,62 @@ If you disable this policy setting, users cannot load a page in the zone that us
 If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Access data sources across domains*
+-   GP English name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowActiveScripting**  
+<a href="" id="internetexplorer-restrictedsiteszoneallowactivescripting"></a>**InternetExplorer/RestrictedSitesZoneAllowActiveScripting**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow active scripting*
--   GP name: *IZ_PolicyActiveScripting_1*
+-   GP English name: *Allow active scripting*
+-   GP name: *IZ_PolicyActiveScripting_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6558,13 +9511,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6579,10 +9532,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
+-   GP English name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6602,13 +9563,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6621,62 +9582,194 @@ If you enable this setting, users will receive a file download dialog for automa
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
+-   GP English name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors**  
+<a href="" id="internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors"></a>**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow binary and script behaviors*
--   GP name: *IZ_PolicyBinaryBehaviors_1*
+-   GP English name: *Allow binary and script behaviors*
+-   GP name: *IZ_PolicyBinaryBehaviors_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript**  
+<a href="" id="internetexplorer-restrictedsiteszoneallowcopypasteviascript"></a>**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow cut, copy or paste operations from the clipboard via script*
+-   GP English name: *Allow cut, copy or paste operations from the clipboard via script*
 -   GP name: *IZ_PolicyAllowPasteViaScript_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles**  
+<a href="" id="internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles"></a>**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow drag and drop or copy and paste files*
+-   GP English name: *Allow drag and drop or copy and paste files*
 -   GP name: *IZ_PolicyDropOrPasteFiles_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowFileDownloads**  
+<a href="" id="internetexplorer-restrictedsiteszoneallowfiledownloads"></a>**InternetExplorer/RestrictedSitesZoneAllowFileDownloads**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow file downloads*
--   GP name: *IZ_PolicyFileDownload_1*
+-   GP English name: *Allow file downloads*
+-   GP name: *IZ_PolicyFileDownload_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6696,13 +9789,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6717,29 +9810,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
 
 <!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG1**  
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
-<!--StartDescription-->
-<!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow font downloads*
+-   GP English name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_7*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG2**  
-
-<!--StartDescription-->
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow font downloads*
--   GP name: *IZ_PolicyFontDownload_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6759,13 +9841,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6780,36 +9862,106 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles**  
+<a href="" id="internetexplorer-restrictedsiteszoneallowloadingofxamlfiles"></a>**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow loading of XAML files*
+-   GP English name: *Allow loading of XAML files*
 -   GP name: *IZ_Policy_XAML_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH**  
+<a href="" id="internetexplorer-restrictedsiteszoneallowmetarefresh"></a>**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow META REFRESH*
--   GP name: *IZ_PolicyAllowMETAREFRESH_1*
+-   GP English name: *Allow META REFRESH*
+-   GP name: *IZ_PolicyAllowMETAREFRESH_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6829,13 +9981,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6850,62 +10002,194 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls**  
+<a href="" id="internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow only approved domains to use ActiveX controls without prompt*
+-   GP English name: *Allow only approved domains to use ActiveX controls without prompt*
 -   GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**  
+<a href="" id="internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol"></a>**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow only approved domains to use the TDC ActiveX control*
+-   GP English name: *Allow only approved domains to use the TDC ActiveX control*
 -   GP name: *IZ_PolicyAllowTDCControl_Both_Restricted*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows**  
+<a href="" id="internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows"></a>**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow script-initiated windows without size or position constraints*
+-   GP English name: *Allow script-initiated windows without size or position constraints*
 -   GP name: *IZ_PolicyWindowsRestrictionsURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls**  
+<a href="" id="internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols"></a>**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow scripting of Internet Explorer WebBrowser controls*
+-   GP English name: *Allow scripting of Internet Explorer WebBrowser controls*
 -   GP name: *IZ_Policy_WebBrowserControl_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6925,13 +10209,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6946,10 +10230,18 @@ If you disable this policy setting, the user cannot run scriptlets.
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow scriptlets*
+-   GP English name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6969,13 +10261,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -6992,23 +10284,62 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
+-   GP English name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript**  
+<a href="" id="internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript"></a>**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow updates to status bar via script*
+-   GP English name: *Allow updates to status bar via script*
 -   GP name: *IZ_Policy_ScriptStatusBar_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7028,13 +10359,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7049,101 +10380,370 @@ If you disable this policy setting, users cannot preserve information in the bro
 If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Userdata persistence*
+-   GP English name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**  
+<a href="" id="internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Don't run antimalware programs against ActiveX controls*
+-   GP English name: *Don't run antimalware programs against ActiveX controls*
 -   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls**  
+<a href="" id="internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Download signed ActiveX controls*
+-   GP English name: *Download signed ActiveX controls*
 -   GP name: *IZ_PolicyDownloadSignedActiveX_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls**  
+<a href="" id="internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Download unsigned ActiveX controls*
+-   GP English name: *Download unsigned ActiveX controls*
 -   GP name: *IZ_PolicyDownloadUnsignedActiveX_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**  
+<a href="" id="internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter"></a>**InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable dragging of content from different domains across windows*
+-   GP English name: *Turn on Cross-Site Scripting Filter*
+-   GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows"></a>**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP English name: *Enable dragging of content from different domains across windows*
 -   GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**  
+<a href="" id="internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows"></a>**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable dragging of content from different domains within a window*
+-   GP English name: *Enable dragging of content from different domains within a window*
 -   GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing**  
+<a href="" id="internetexplorer-restrictedsiteszoneenablemimesniffing"></a>**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable MIME Sniffing*
+-   GP English name: *Enable MIME Sniffing*
 -   GP name: *IZ_PolicyMimeSniffingURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer**  
+<a href="" id="internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver"></a>**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Include local path when user is uploading files to a server*
+-   GP English name: *Include local path when user is uploading files to a server*
 -   GP name: *IZ_Policy_LocalPathForUpload_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7163,13 +10763,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7186,49 +10786,150 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneJavaPermissions**  
+<a href="" id="internetexplorer-restrictedsiteszonejavapermissions"></a>**InternetExplorer/RestrictedSitesZoneJavaPermissions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Java permissions*
+-   GP English name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME**  
+<a href="" id="internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe"></a>**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Launching applications and files in an IFRAME*
+-   GP English name: *Launching applications and files in an IFRAME*
 -   GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneLogonOptions**  
+<a href="" id="internetexplorer-restrictedsiteszonelogonoptions"></a>**InternetExplorer/RestrictedSitesZoneLogonOptions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Logon options*
+-   GP English name: *Logon options*
 -   GP name: *IZ_PolicyLogon_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7248,13 +10949,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7269,140 +10970,458 @@ If you disable this policy setting, users cannot open other windows and frames f
 If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
+-   GP English name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains**  
+<a href="" id="internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains"></a>**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
--   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
+-   GP English name: *Navigate windows and frames across different domains*
+-   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins**  
+<a href="" id="internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins"></a>**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run ActiveX controls and plugins*
--   GP name: *IZ_PolicyRunActiveXControls_1*
+-   GP English name: *Run ActiveX controls and plugins*
+-   GP name: *IZ_PolicyRunActiveXControls_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**  
+<a href="" id="internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode"></a>**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components signed with Authenticode*
 -   GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting**  
+<a href="" id="internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting"></a>**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Script ActiveX controls marked safe for scripting*
--   GP name: *IZ_PolicyScriptActiveXMarkedSafe_1*
+-   GP English name: *Script ActiveX controls marked safe for scripting*
+-   GP name: *IZ_PolicyScriptActiveXMarkedSafe_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneWRONG**  
+<a href="" id="internetexplorer-restrictedsiteszonescriptingofjavaapplets"></a>**InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Scripting of Java applets*
--   GP name: *IZ_PolicyScriptingOfJavaApplets_6*
+-   GP English name: *Scripting of Java applets*
+-   GP name: *IZ_PolicyScriptingOfJavaApplets_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneWRONG2**  
+<a href="" id="internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles"></a>**InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Show security warning for potentially unsafe files*
+-   GP English name: *Show security warning for potentially unsafe files*
 -   GP name: *IZ_Policy_UnsafeFiles_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneWRONG3**  
+<a href="" id="internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter"></a>**InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on Cross-Site Scripting Filter*
+-   GP English name: *Turn on Cross-Site Scripting Filter*
 -   GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneWRONG4**  
+<a href="" id="internetexplorer-restrictedsiteszoneturnonprotectedmode"></a>**InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on Protected Mode*
+-   GP English name: *Turn on Protected Mode*
 -   GP name: *IZ_Policy_TurnOnProtectedMode_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/RestrictedSitesZoneWRONG5**  
+<a href="" id="internetexplorer-restrictedsiteszoneusepopupblocker"></a>**InternetExplorer/RestrictedSitesZoneUsePopupBlocker**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Use Pop-up Blocker*
+-   GP English name: *Use Pop-up Blocker*
 -   GP name: *IZ_PolicyBlockPopupWindows_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses**  
+<a href="" id="internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses"></a>**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *All Processes*
+-   GP English name: *All Processes*
 -   GP name: *IESF_PolicyAllProcesses_8*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7422,13 +11441,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7441,36 +11460,106 @@ If you enable this policy setting, the user cannot configure the list of search
 If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Restrict search providers to a specific list*
+-   GP English name: *Restrict search providers to a specific list*
 -   GP name: *SpecificSearchProvider*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/SecurityZonesUseOnlyMachineSettings**  
+<a href="" id="internetexplorer-securityzonesuseonlymachinesettings"></a>**InternetExplorer/SecurityZonesUseOnlyMachineSettings**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Security Zones: Use only machine settings *
+-   GP English name: *Security Zones: Use only machine settings *
 -   GP name: *Security_HKLM_only*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/SpecifyUseOfActiveXInstallerService**  
+<a href="" id="internetexplorer-specifyuseofactivexinstallerservice"></a>**InternetExplorer/SpecifyUseOfActiveXInstallerService**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify use of ActiveX Installer Service for installation of ActiveX controls*
+-   GP English name: *Specify use of ActiveX Installer Service for installation of ActiveX controls*
 -   GP name: *OnlyUseAXISForActiveXInstall*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7490,13 +11579,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7511,10 +11600,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
 If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Access data sources across domains*
+-   GP English name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7534,13 +11631,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7555,10 +11652,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
 If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
+-   GP English name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7578,13 +11683,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7597,10 +11702,18 @@ If you enable this setting, users will receive a file download dialog for automa
 If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
+-   GP English name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7620,13 +11733,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7641,10 +11754,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow font downloads*
+-   GP English name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7664,13 +11785,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7685,10 +11806,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7708,13 +11837,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7729,10 +11858,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7752,13 +11889,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7773,10 +11910,18 @@ If you disable this policy setting, the user cannot run scriptlets.
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow scriptlets*
+-   GP English name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7796,13 +11941,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7819,10 +11964,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
+-   GP English name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7842,13 +11995,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7863,10 +12016,106 @@ If you disable this policy setting, users cannot preserve information in the bro
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Userdata persistence*
+-   GP English name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols"></a>**InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP English name: *Don't run antimalware programs against ActiveX controls*
+-   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols"></a>**InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP English name: *Don't run antimalware programs against ActiveX controls*
+-   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7886,13 +12135,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7909,23 +12158,150 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/TrustedSitesZoneJavaPermissions**  
+<a href="" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe"></a>**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Java permissions*
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe"></a>**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP English name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszonejavapermissions"></a>**InternetExplorer/TrustedSitesZoneJavaPermissions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP English name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7945,13 +12321,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -7966,36 +12342,18 @@ If you disable this policy setting, users cannot open windows and frames to acce
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
+-   GP English name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/TrustedSitesZoneWRONG1**  
-
-<!--StartDescription-->
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Don't run antimalware programs against ActiveX controls*
--   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="None"></a>**InternetExplorer/TrustedSitesZoneWRONG2**  
-
-<!--StartDescription-->
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
--   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index a8fbdb51d5..d4683f4ded 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Kerberos
@@ -33,13 +34,13 @@ author: nickbrower
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -52,10 +53,18 @@ If you enable this policy setting, the Kerberos client searches the forests in t
 If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Use forest search order*
+-   GP English name: *Use forest search order*
 -   GP name: *ForestSearch*
+-   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 
 <!--EndADMX-->
@@ -75,13 +84,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -93,10 +102,18 @@ If you enable this policy setting, the client computers will request claims, pro
 If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
+-   GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
 -   GP name: *EnableCbacAndArmor*
+-   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 
 <!--EndADMX-->
@@ -116,13 +133,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -139,10 +156,18 @@ Note: The Kerberos Group Policy "Kerberos client support for claims, compound au
 If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Fail authentication requests when Kerberos armoring is not available*
+-   GP English name: *Fail authentication requests when Kerberos armoring is not available*
 -   GP name: *ClientRequireFast*
+-   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 
 <!--EndADMX-->
@@ -162,13 +187,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -181,10 +206,18 @@ If you enable this policy setting, the Kerberos client requires that the KDC's X
 If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Require strict KDC validation*
+-   GP English name: *Require strict KDC validation*
 -   GP name: *ValidateKDC*
+-   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 
 <!--EndADMX-->
@@ -204,13 +237,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -227,10 +260,18 @@ If you disable or do not configure this policy setting, the Kerberos client or s
 Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Set maximum Kerberos SSPI context token buffer size*
+-   GP English name: *Set maximum Kerberos SSPI context token buffer size*
 -   GP name: *MaxTokenSize*
+-   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index 8c80b8d3a3..a8f855bc5e 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Licensing
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
new file mode 100644
index 0000000000..5eb02ceae2
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -0,0 +1,1025 @@
+---
+title: Policy CSP - LocalPoliciesSecurityOptions
+description: Policy CSP - LocalPoliciesSecurityOptions
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/30/2017
+---
+
+# Policy CSP - LocalPoliciesSecurityOptions
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## LocalPoliciesSecurityOptions policies  
+
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts-blockmicrosoftaccounts"></a>**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting prevents users from adding new Microsoft accounts on this computer.
+
+If you select the "Users cannot add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+
+If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
+
+If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
+
+Valid values:  
+- 0 - disabled (users will be able to use Microsoft accounts with Windows)
+- 1 - enabled (users cannot add Microsoft accounts)
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This security setting determines whether the local Administrator account is enabled or disabled.
+
+If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
+Disabling the Administrator account can become a maintenance issue under certain circumstances. 
+
+Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts.  If the computer is domain joined the disabled administrator will not be enabled.
+
+Default: Disabled.
+Valid values:  
+- 0 - local Administrator account is disabled
+- 1 - local Administrator account is enabled
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This security setting determines if the Guest account is enabled or disabled.
+
+Default: Disabled.
+Valid values:  
+- 0 - local Guest account is disabled
+- 1 - local Guest account is enabled
+
+Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Accounts: Limit local account use of blank passwords to console logon only
+
+This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
+
+Default: Enabled.
+Valid values:  
+- 0 -  disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
+- 1 -  enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard
+
+Warning:
+
+Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.
+If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
+
+This setting does not affect logons that use domain accounts.
+It is possible for applications that use remote interactive logons to bypass this setting.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts-renameadministratoraccount"></a>**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Accounts: Rename administrator account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
+
+Default: Administrator.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts-renameguestaccount"></a>**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Accounts: Rename guest account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
+
+Default: Guest.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive Logon:Display user information when the session is locked  
+
+Valid values:
+- 1 - User display name, domain and user names
+- 2 - User display name only
+- 3 - Do not display user information
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Don't display last signed-in
+
+This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.
+Valid values:  
+- 0 - disabled (username will be shown)
+- 1 - enabled (username will not be shown)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Don't display username at sign-in
+
+This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
+
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.
+Valid values:  
+- 0 - disabled (username will be shown)
+- 1 - enabled (username will not be shown)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Do not require CTRL+ALT+DEL
+
+This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
+
+If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
+
+If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.
+
+Default on domain-computers: Enabled: At least Windows  8/Disabled: Windows 7 or earlier.
+Default on stand-alone computers: Enabled.
+Valid values:  
+- 0 - disabled
+- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-machineinactivitylimit"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Machine inactivity limit.
+
+Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
+
+Default: not enforced.
+Valid values:  
+- 0 - disabled 
+- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Message text for users attempting to log on
+
+This security setting specifies a text message that is displayed to users when they log on.
+
+This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
+
+Default: No message.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Message title for users attempting to log on
+
+This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
+
+Default: No message.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Network security: Allow PKU2U authentication requests to this computer to use online identities.
+
+This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
+
+Valid values:  
+- 0 - disabled
+- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon"></a>**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Recovery console: Allow automatic administrative logon
+
+This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.
+
+Default: This policy is not defined and automatic administrative logon is not allowed.
+Valid values:  
+- 0 - disabled
+- 1 - enabled (allow automatic administrative logon)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon"></a>**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Shutdown: Allow system to be shut down without having to log on
+
+This security setting determines whether a computer can be shut down without having to log on to Windows.
+
+When this policy is enabled, the Shut Down command is available on the Windows logon screen.
+
+When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
+
+Default on workstations: Enabled.
+Default on servers: Disabled.
+Valid values:  
+- 0 - disabled
+- 1 - enabled (allow system to be shut down without having to log on)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
+
+This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+
+Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+
+Disabled: (Default)  
+Valid values:  
+- 0 - disabled
+- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop)
+
+The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators"></a>**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
+This policy setting controls the behavior of the elevation prompt for administrators.
+
+The options are:
+
+• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+
+• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers"></a>**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Behavior of the elevation prompt for standard users
+This policy setting controls the behavior of the elevation prompt for standard users.
+
+The options are:
+
+• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated"></a>**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Only elevate executable files that are signed and validated
+
+This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+
+The options are:
+- 0 - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
+- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations"></a>**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+
+- …\Program Files\, including subfolders
+- …\Windows\system32\
+- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+
+Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+The options are:  
+- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode"></a>**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Turn on Admin Approval Mode
+
+This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
+
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Switch to the secure desktop when prompting for elevation
+
+This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+
+The options are:
+- 0 - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations"></a>**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Virtualize file and registry write failures to per-user locations
+
+This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
+
+The options are:
+- 0 - Disabled: Applications that write data to protected locations fail.
+- 1 - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md
index f645587446..130111a793 100644
--- a/windows/client-management/mdm/policy-csp-location.md
+++ b/windows/client-management/mdm/policy-csp-location.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Location
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 25dc0413fe..ff2b494dee 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - LockDown
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 71023a8d83..40abac41bc 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Maps
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index 0cb1012fa9..edaff6765e 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Messaging
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 8c7f783b3c..3196840a3b 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - NetworkIsolation
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 1ba72d35a8..2a291f8ba6 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Notifications
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index b0b74a08f2..17298b3cdf 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Power
@@ -34,12 +35,12 @@ author: nickbrower
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -52,10 +53,18 @@ If you enable or do not configure this policy setting, Windows uses standby stat
 If you disable this policy setting, standby states (S1-S3) are not allowed.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)*
+-   GP English name: *Allow standby states (S1-S3) when sleeping (plugged in)*
 -   GP name: *AllowStandbyStatesAC_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -76,12 +85,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -96,10 +105,18 @@ ADMX Info:
 <p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off the display (on battery)*
+-   GP English name: *Turn off the display (on battery)*
 -   GP name: *VideoPowerDownTimeOutDC_2*
+-   GP path: *System/Power Management/Video and Display Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -120,12 +137,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -140,10 +157,18 @@ ADMX Info:
 <p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off the display (plugged in)*
+-   GP English name: *Turn off the display (plugged in)*
 -   GP name: *VideoPowerDownTimeOutAC_2*
+-   GP path: *System/Power Management/Video and Display Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -164,12 +189,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -185,10 +210,18 @@ ADMX Info:
 <p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the system hibernate timeout (on battery)*
+-   GP English name: *Specify the system hibernate timeout (on battery)*
 -   GP name: *DCHibernateTimeOut_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -209,12 +242,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -229,10 +262,18 @@ ADMX Info:
 <p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the system hibernate timeout (plugged in)*
+-   GP English name: *Specify the system hibernate timeout (plugged in)*
 -   GP name: *ACHibernateTimeOut_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -253,12 +294,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -271,10 +312,18 @@ If you enable or do not configure this policy setting, the user is prompted for
 If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Require a password when a computer wakes (on battery)*
+-   GP English name: *Require a password when a computer wakes (on battery)*
 -   GP name: *DCPromptForPasswordOnResume_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -295,12 +344,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -313,10 +362,18 @@ If you enable or do not configure this policy setting, the user is prompted for
 If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Require a password when a computer wakes (plugged in)*
+-   GP English name: *Require a password when a computer wakes (plugged in)*
 -   GP name: *ACPromptForPasswordOnResume_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -337,12 +394,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -357,10 +414,18 @@ ADMX Info:
 <p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the system sleep timeout (on battery)*
+-   GP English name: *Specify the system sleep timeout (on battery)*
 -   GP name: *DCStandbyTimeOut_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -381,12 +446,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -401,10 +466,18 @@ ADMX Info:
 <p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the system sleep timeout (plugged in)*
+-   GP English name: *Specify the system sleep timeout (plugged in)*
 -   GP name: *ACStandbyTimeOut_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index ac4e6f725f..ffd1d93c3c 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Printers
@@ -34,12 +35,12 @@ author: nickbrower
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -65,16 +66,24 @@ If you disable this policy setting:
 -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Point and Print Restrictions*
+-   GP English name: *Point and Print Restrictions*
 -   GP name: *PointAndPrint_Restrictions_Win7*
+-   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="printers-pointandprintrestrictions_user"></a>**Printers/PointAndPrintRestrictions_User**  
+<a href="" id="printers-pointandprintrestrictions-user"></a>**Printers/PointAndPrintRestrictions_User**  
 
 <!--StartSKU-->
 <table>
@@ -89,12 +98,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -120,10 +129,18 @@ If you disable this policy setting:
 -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Point and Print Restrictions*
+-   GP English name: *Point and Print Restrictions*
 -   GP name: *PointAndPrint_Restrictions*
+-   GP path: *Control Panel/Printers*
 -   GP ADMX file name: *Printing.admx*
 
 <!--EndADMX-->
@@ -144,12 +161,12 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -164,10 +181,18 @@ If you disable this setting, this computer's shared printers cannot be published
 Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow printers to be published*
+-   GP English name: *Allow printers to be published*
 -   GP name: *PublishPrinters*
+-   GP path: *Printers*
 -   GP ADMX file name: *Printing2.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 6436a76202..fae39d1341 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Privacy
@@ -33,11 +34,11 @@ author: nickbrower
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
@@ -47,6 +48,9 @@ author: nickbrower
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
 
+> [!Note]  
+> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
+
 <p style="margin-left: 20px">The following list shows the supported values:
 
 -   0 (default)– Not allowed.
@@ -132,6 +136,42 @@ author: nickbrower
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-enableactivityfeed"></a>**Privacy/EnableActivityFeed**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed.
+
+The following list shows the supported values:
+
+-   0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud).
+-   1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -2502,6 +2542,42 @@ author: nickbrower
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-publishuseractivities"></a>**Privacy/PublishUserActivities**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed.
+
+The following list shows the supported values:
+
+-   0 – Disabled. Apps/OS can't publish the *user activities*.
+-   1 – (default) Enabled. Apps/OS can publish the *user activities*.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <hr/>
@@ -2544,6 +2620,7 @@ Footnote:
 <!--StartSurfaceHub-->
 ## <a href="" id="surfacehubpolicies"></a>Privacy policies supported by Microsoft Surface Hub  
 
+-   [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)  
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
@@ -2552,5 +2629,6 @@ Footnote:
 -   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
+-   [Privacy/PublishUserActivities](#privacy-publishuseractivities)  
 <!--EndSurfaceHub-->
 
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index bae354870c..61751bca3b 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - RemoteAssistance
@@ -33,13 +34,13 @@ author: nickbrower
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -58,10 +59,18 @@ If you disable this policy setting, the user sees the default warning message.
 If you do not configure this policy setting, the user sees the default warning message.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Customize warning messages*
+-   GP English name: *Customize warning messages*
 -   GP name: *RA_Options*
+-   GP path: *System/Remote Assistance*
 -   GP ADMX file name: *remoteassistance.admx*
 
 <!--EndADMX-->
@@ -81,13 +90,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -102,10 +111,18 @@ If you disable this policy setting, log files are not generated.
 If you do not configure this setting, application-based settings are used.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on session logging*
+-   GP English name: *Turn on session logging*
 -   GP name: *RA_Logging*
+-   GP path: *System/Remote Assistance*
 -   GP ADMX file name: *remoteassistance.admx*
 
 <!--EndADMX-->
@@ -125,13 +142,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -154,10 +171,18 @@ The "Select the method for sending email invitations" setting specifies which em
 If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Configure Solicited Remote Assistance*
+-   GP English name: *Configure Solicited Remote Assistance*
 -   GP name: *RA_Solicit*
+-   GP path: *System/Remote Assistance*
 -   GP ADMX file name: *remoteassistance.admx*
 
 <!--EndADMX-->
@@ -177,13 +202,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -229,10 +254,18 @@ Port 135:TCP
 Allow Remote Desktop Exception
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Configure Offer Remote Assistance*
+-   GP English name: *Configure Offer Remote Assistance*
 -   GP name: *RA_Unsolicit*
+-   GP path: *System/Remote Assistance*
 -   GP ADMX file name: *remoteassistance.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index c73c7a4093..411214069f 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - RemoteDesktopServices
@@ -33,13 +34,13 @@ author: nickbrower
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -58,10 +59,18 @@ Note: You can limit which clients are able to connect remotely by using Remote D
 You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow users to connect remotely by using Remote Desktop Services*
+-   GP English name: *Allow users to connect remotely by using Remote Desktop Services*
 -   GP name: *TS_DISABLE_CONNECTIONS*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
 -   GP ADMX file name: *terminalserver.admx*
 
 <!--EndADMX-->
@@ -81,13 +90,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -110,10 +119,18 @@ Important
 FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Set client connection encryption level*
+-   GP English name: *Set client connection encryption level*
 -   GP name: *TS_ENCRYPTION_POLICY*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
 -   GP ADMX file name: *terminalserver.admx*
 
 <!--EndADMX-->
@@ -133,13 +150,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -156,10 +173,18 @@ If you disable this policy setting, client drive redirection is always allowed.
 If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not allow drive redirection*
+-   GP English name: *Do not allow drive redirection*
 -   GP name: *TS_CLIENT_DRIVE_M*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
 -   GP ADMX file name: *terminalserver.admx*
 
 <!--EndADMX-->
@@ -179,13 +204,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -198,10 +223,18 @@ If you enable this setting the password saving checkbox in Remote Desktop Connec
 If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not allow passwords to be saved*
+-   GP English name: *Do not allow passwords to be saved*
 -   GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
 -   GP ADMX file name: *terminalserver.admx*
 
 <!--EndADMX-->
@@ -221,13 +254,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -246,10 +279,18 @@ If you disable this policy setting, users can always log on to Remote Desktop Se
 If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Always prompt for password upon connection*
+-   GP English name: *Always prompt for password upon connection*
 -   GP name: *TS_PASSWORD*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
 -   GP ADMX file name: *terminalserver.admx*
 
 <!--EndADMX-->
@@ -269,13 +310,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -294,10 +335,18 @@ If the status is set to Not Configured, unsecured communication is allowed.
 Note: The RPC interface is used for administering and configuring Remote Desktop Services.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Require secure RPC communication*
+-   GP English name: *Require secure RPC communication*
 -   GP name: *TS_RPC_ENCRYPTION*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
 -   GP ADMX file name: *terminalserver.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 4c0d02a0fb..d084b5d609 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - RemoteManagement
@@ -19,196 +20,661 @@ author: nickbrower
 ## RemoteManagement policies  
 
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/AllowBasicAuthentication_Client**  
+<a href="" id="remotemanagement-allowbasicauthentication-client"></a>**RemoteManagement/AllowBasicAuthentication_Client**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow Basic authentication*
+-   GP English name: *Allow Basic authentication*
 -   GP name: *AllowBasic_2*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/AllowBasicAuthentication_Service**  
+<a href="" id="remotemanagement-allowbasicauthentication-service"></a>**RemoteManagement/AllowBasicAuthentication_Service**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow Basic authentication*
+-   GP English name: *Allow Basic authentication*
 -   GP name: *AllowBasic_1*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/AllowCredSSPAuthenticationClient**  
+<a href="" id="remotemanagement-allowcredsspauthenticationclient"></a>**RemoteManagement/AllowCredSSPAuthenticationClient**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow CredSSP authentication*
--   GP name: *AllowCredSSP_1*
--   GP ADMX file name: *WindowsRemoteManagement.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/AllowCredSSPAuthenticationService**  
-
-<!--StartDescription-->
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow CredSSP authentication*
+-   GP English name: *Allow CredSSP authentication*
 -   GP name: *AllowCredSSP_2*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/AllowRemoteServerManagement**  
+<a href="" id="remotemanagement-allowcredsspauthenticationservice"></a>**RemoteManagement/AllowCredSSPAuthenticationService**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow remote server management through WinRM*
+-   GP English name: *Allow CredSSP authentication*
+-   GP name: *AllowCredSSP_1*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-allowremoteservermanagement"></a>**RemoteManagement/AllowRemoteServerManagement**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP English name: *Allow remote server management through WinRM*
 -   GP name: *AllowAutoConfig*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/AllowUnencryptedTraffic_Client**  
+<a href="" id="remotemanagement-allowunencryptedtraffic-client"></a>**RemoteManagement/AllowUnencryptedTraffic_Client**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow unencrypted traffic*
+-   GP English name: *Allow unencrypted traffic*
 -   GP name: *AllowUnencrypted_2*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/AllowUnencryptedTraffic_Service**  
+<a href="" id="remotemanagement-allowunencryptedtraffic-service"></a>**RemoteManagement/AllowUnencryptedTraffic_Service**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow unencrypted traffic*
+-   GP English name: *Allow unencrypted traffic*
 -   GP name: *AllowUnencrypted_1*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/DisallowDigestAuthentication**  
+<a href="" id="remotemanagement-disallowdigestauthentication"></a>**RemoteManagement/DisallowDigestAuthentication**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disallow Digest authentication*
+-   GP English name: *Disallow Digest authentication*
 -   GP name: *DisallowDigest*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/DisallowNegotiateAuthenticationClient**  
+<a href="" id="remotemanagement-disallownegotiateauthenticationclient"></a>**RemoteManagement/DisallowNegotiateAuthenticationClient**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disallow Negotiate authentication*
--   GP name: *DisallowNegotiate_1*
--   GP ADMX file name: *WindowsRemoteManagement.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/DisallowNegotiateAuthenticationService**  
-
-<!--StartDescription-->
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Disallow Negotiate authentication*
+-   GP English name: *Disallow Negotiate authentication*
 -   GP name: *DisallowNegotiate_2*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/DisallowStoringOfRunAsCredentials**  
+<a href="" id="remotemanagement-disallownegotiateauthenticationservice"></a>**RemoteManagement/DisallowNegotiateAuthenticationService**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disallow WinRM from storing RunAs credentials*
+-   GP English name: *Disallow Negotiate authentication*
+-   GP name: *DisallowNegotiate_1*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-disallowstoringofrunascredentials"></a>**RemoteManagement/DisallowStoringOfRunAsCredentials**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP English name: *Disallow WinRM from storing RunAs credentials*
 -   GP name: *DisableRunAs*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel**  
+<a href="" id="remotemanagement-specifychannelbindingtokenhardeninglevel"></a>**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify channel binding token hardening level*
+-   GP English name: *Specify channel binding token hardening level*
 -   GP name: *CBTHardeningLevel_1*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/TrustedHosts**  
+<a href="" id="remotemanagement-trustedhosts"></a>**RemoteManagement/TrustedHosts**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Trusted Hosts*
+-   GP English name: *Trusted Hosts*
 -   GP name: *TrustedHosts*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/TurnOnCompatibilityHTTPListener**  
+<a href="" id="remotemanagement-turnoncompatibilityhttplistener"></a>**RemoteManagement/TurnOnCompatibilityHTTPListener**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn On Compatibility HTTP Listener*
+-   GP English name: *Turn On Compatibility HTTP Listener*
 -   GP name: *HttpCompatibilityListener*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteManagement/TurnOnCompatibilityHTTPSListener**  
+<a href="" id="remotemanagement-turnoncompatibilityhttpslistener"></a>**RemoteManagement/TurnOnCompatibilityHTTPSListener**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn On Compatibility HTTPS Listener*
+-   GP English name: *Turn On Compatibility HTTPS Listener*
 -   GP name: *HttpsCompatibilityListener*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index 56389b3ae7..dc1dab2c86 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - RemoteProcedureCall
@@ -33,13 +34,13 @@ author: nickbrower
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -56,10 +57,18 @@ If you do not configure this policy setting, it remains disabled.  RPC clients w
 Note: This policy will not be applied until the system is rebooted.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable RPC Endpoint Mapper Client Authentication*
+-   GP English name: *Enable RPC Endpoint Mapper Client Authentication*
 -   GP name: *RpcEnableAuthEpResolution*
+-   GP path: *System/Remote Procedure Call*
 -   GP ADMX file name: *rpc.admx*
 
 <!--EndADMX-->
@@ -79,13 +88,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -110,10 +119,18 @@ If you enable this policy setting, it directs the RPC server runtime to restrict
 Note: This policy setting will not be applied until the system is rebooted.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Restrict Unauthenticated RPC clients*
+-   GP English name: *Restrict Unauthenticated RPC clients*
 -   GP name: *RpcRestrictRemoteClients*
+-   GP path: *System/Remote Procedure Call*
 -   GP ADMX file name: *rpc.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index 08ec87e539..32309bdf9d 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - RemoteShell
@@ -19,92 +20,309 @@ author: nickbrower
 ## RemoteShell policies  
 
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteShell/AllowRemoteShellAccess**  
+<a href="" id="remoteshell-allowremoteshellaccess"></a>**RemoteShell/AllowRemoteShellAccess**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow Remote Shell Access*
+-   GP English name: *Allow Remote Shell Access*
 -   GP name: *AllowRemoteShellAccess*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteShell/MaxConcurrentUsers**  
+<a href="" id="remoteshell-maxconcurrentusers"></a>**RemoteShell/MaxConcurrentUsers**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *MaxConcurrentUsers*
+-   GP English name: *MaxConcurrentUsers*
 -   GP name: *MaxConcurrentUsers*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteShell/SpecifyIdleTimeout**  
+<a href="" id="remoteshell-specifyidletimeout"></a>**RemoteShell/SpecifyIdleTimeout**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify idle Timeout*
+-   GP English name: *Specify idle Timeout*
 -   GP name: *IdleTimeout*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteShell/SpecifyMaxMemory**  
+<a href="" id="remoteshell-specifymaxmemory"></a>**RemoteShell/SpecifyMaxMemory**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify maximum amount of memory in MB per Shell*
+-   GP English name: *Specify maximum amount of memory in MB per Shell*
 -   GP name: *MaxMemoryPerShellMB*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteShell/SpecifyMaxProcesses**  
+<a href="" id="remoteshell-specifymaxprocesses"></a>**RemoteShell/SpecifyMaxProcesses**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify maximum number of processes per Shell*
+-   GP English name: *Specify maximum number of processes per Shell*
 -   GP name: *MaxProcessesPerShell*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteShell/SpecifyMaxRemoteShells**  
+<a href="" id="remoteshell-specifymaxremoteshells"></a>**RemoteShell/SpecifyMaxRemoteShells**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify maximum number of remote shells per user*
+-   GP English name: *Specify maximum number of remote shells per user*
 -   GP name: *MaxShellsPerUser*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="None"></a>**RemoteShell/SpecifyShellTimeout**  
+<a href="" id="remoteshell-specifyshelltimeout"></a>**RemoteShell/SpecifyShellTimeout**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify Shell Timeout*
+-   GP English name: *Specify Shell Timeout*
 -   GP name: *ShellTimeOut*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 73badec791..8c510ae5c1 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Search
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index b9da338ad1..229903014f 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Security
@@ -215,6 +216,45 @@ author: nickbrower
 -   0 – Don't allow Anti Theft Mode.
 -   1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="security-cleartpmifnotready"></a>**Security/ClearTPMIfNotReady**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
+
+The following list shows the supported values:
+
+-   0 (default) – Will not force recovery from a non-ready TPM state.
+-   1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index aac7fdd2e4..50a3295347 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Settings
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 968712f98d..adc515f986 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - SmartScreen
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index b67d1464b7..833057f11a 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Speech
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 9c3c33dc73..75e90f86a0 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Start
@@ -447,10 +448,10 @@ author: nickbrower
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
@@ -461,7 +462,10 @@ author: nickbrower
 > [!NOTE]
 > This policy requires reboot to take effect.
 
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list.
+<p style="margin-left: 20px">Allows IT Admins to configure Start by collapsing or removing the all apps list.
+
+> [!Note]
+> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. 
 
 <p style="margin-left: 20px">The following list shows the supported values:
 
@@ -1081,7 +1085,7 @@ author: nickbrower
 > [!IMPORTANT]
 > Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
 
-<p style="margin-left: 20px">The value set for this policy is an XML string containing Edge assets.  An example XML string is provided in the [Microsoft Edge assets example](#microsoft-edge-assets-example) later in this topic.
+<p style="margin-left: 20px">The value set for this policy is an XML string containing Edge assets.  For an example XML string, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/en-us/windows/configuration/start-secondary-tiles).
 
 <p style="margin-left: 20px">To validate on Desktop, do the following:
 
@@ -1176,7 +1180,7 @@ author: nickbrower
 
 <p style="margin-left: 20px">Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
 
-<p style="margin-left: 20px">This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic.
+<p style="margin-left: 20px">For further details on how to customize the Start layout, please see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar).
 
 <!--EndDescription-->
 <!--EndPolicy-->
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 7d305a13d9..e73be79d8b 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Storage
@@ -34,8 +35,8 @@ author: nickbrower
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@@ -52,10 +53,18 @@ If you enable this policy setting, Windows will not activate unactivated Enhance
 If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not allow Windows to activate Enhanced Storage devices*
+-   GP English name: *Do not allow Windows to activate Enhanced Storage devices*
 -   GP name: *TCGSecurityActivationDisabled*
+-   GP path: *System/Enhanced Storage Access*
 -   GP ADMX file name: *enhancedstorage.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index bfc21c114d..53b9ec2f30 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - System
@@ -419,11 +420,11 @@ author: nickbrower
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -432,6 +433,13 @@ author: nickbrower
 N/A
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
 -   GP name: *POL_DriverLoadPolicy_Name*
@@ -505,10 +513,10 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
@@ -529,10 +537,18 @@ If you disable or do not configure this policy setting, users can perform System
 Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off System Restore*
+-   GP English name: *Turn off System Restore*
 -   GP name: *SR_DisableSR*
+-   GP path: *System/System Restore*
 -   GP ADMX file name: *systemrestore.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index 3baa9bb071..08041394b9 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - TextInput
@@ -362,29 +363,6 @@ author: nickbrower
 <!--StartPolicy-->
 <a href="" id="textinput-allowkoreanextendedhanja"></a>**TextInput/AllowKoreanExtendedHanja**  
 
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">This policy has been deprecated.
 
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index c3bcd16106..5eba1aac1c 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - TimeLanguageSettings
@@ -67,8 +68,8 @@ Footnote:
 <!--StartSurfaceHub-->
 ## <a href="" id="surfacehubpolicies"></a>TimeLanguageSettings policies supported by Microsoft Surface Hub  
 
--   [TimeLanguageSettings/Set24HourClock](#None)  
--   [TimeLanguageSettings/SetCountry](#None)  
--   [TimeLanguageSettings/SetLanguage](#None)  
+-   [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock)  
+-   [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry)  
+-   [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage)  
 <!--EndSurfaceHub-->
 
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index eb5110a19b..e3a796b41d 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Update
@@ -45,10 +46,6 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
 
 > [!NOTE]
@@ -87,10 +84,6 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
 
 <p style="margin-left: 20px">Supported values are 8-18.
@@ -126,10 +119,6 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
 
 > [!NOTE]
@@ -168,10 +157,6 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
 
 <p style="margin-left: 20px">Supported operations are Get and Replace.
@@ -191,6 +176,43 @@ author: nickbrower
 
 <p style="margin-left: 20px">If the policy is not configured, end-users get the default behavior (Auto install and restart).
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-allowautowindowsupdatedownloadovermeterednetwork"></a>**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer.  
+
+- 0 (default) - Not allowed
+- 1 - Allowed
+
+A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.
+
+This policy is accessible through the Update setting in the user interface or Group Policy.
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -220,10 +242,6 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
 
 <p style="margin-left: 20px">The following list shows the supported values:
@@ -260,10 +278,6 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
 
 <p style="margin-left: 20px">Supported operations are Get and Replace.
@@ -304,10 +318,6 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
 
 <p style="margin-left: 20px">Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
@@ -386,10 +396,6 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
 
 <p style="margin-left: 20px">Supported values are 15, 30, 60, 120, and 240 (minutes).
@@ -425,10 +431,6 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
 
 <p style="margin-left: 20px">The following list shows the supported values:
@@ -465,10 +467,6 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
 
 <p style="margin-left: 20px">The following list shows the supported values:
@@ -505,8 +503,6 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
 <p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
 
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
@@ -545,10 +541,6 @@ author: nickbrower
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
 
 <p style="margin-left: 20px">Supported values are 0-30.
@@ -583,8 +575,6 @@ author: nickbrower
 <!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
 > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
 
 
@@ -682,8 +672,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 <!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
->
 > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
 >
 > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
@@ -728,6 +716,46 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-disabledualscan"></a>**Update/DisableDualScan**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update.  With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
+
+<p style="margin-left: 20px">For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/).
+
+- 0 - allow scan against Windows Update
+- 1 - do not allow update deferral policies to cause scans against Windows Update 
+
+<p style="margin-left: 20px">This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update."
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -757,10 +785,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period.  If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
 
 <p style="margin-left: 20px">Supported values are 2-30 days.
@@ -796,10 +820,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
 
 <p style="margin-left: 20px">Supported values are 1-3 days.
@@ -835,10 +855,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
 
 <p style="margin-left: 20px">Supported values are 2-30 days.
@@ -875,7 +891,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 <!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
 > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
 
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
@@ -1050,8 +1065,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 <!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
 > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
 
 
@@ -1095,8 +1108,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
 <p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
 
 
@@ -1110,7 +1121,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="update-PauseFeatureUpdatesStartTime"></a>**Update/PauseFeatureUpdatesStartTime**  
+<a href="" id="update-pausefeatureupdatesstarttime"></a>**Update/PauseFeatureUpdatesStartTime**  
 
 <!--StartSKU-->
 <table>
@@ -1169,9 +1180,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
 
 <p style="margin-left: 20px">The following list shows the supported values:
@@ -1182,7 +1190,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="update-PauseQualityUpdatesStartTime"></a>**Update/PauseQualityUpdatesStartTime**  
+<a href="" id="update-pausequalityupdatesstarttime"></a>**Update/PauseQualityUpdatesStartTime**  
 
 <!--StartSKU-->
 <table>
@@ -1242,8 +1250,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 <!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
 > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
 
 
@@ -1283,11 +1289,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-<br>
-
 > [!NOTE]
 > If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
 
@@ -1330,10 +1331,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
 
 <p style="margin-left: 20px">Supported values are 15, 30, or 60 (minutes).
@@ -1408,10 +1405,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Enables the IT admin to schedule the day of the update installation.
 
 <p style="margin-left: 20px">The data type is a integer.
@@ -1676,10 +1669,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
 
 <p style="margin-left: 20px">The following list shows the supported values:
@@ -1752,9 +1741,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
 > [!Important]  
 > Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
 
@@ -1814,8 +1800,6 @@ Example
 
 <!--EndSKU-->
 <!--StartDescription-->
-> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
 <p style="margin-left: 20px">Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
 
 <p style="margin-left: 20px">This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 61525f5b57..7d019f9c35 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Wifi
@@ -21,29 +22,6 @@ author: nickbrower
 <!--StartPolicy-->
 <a href="" id="wifi-allowwifihotspotreporting"></a>**WiFi/AllowWiFiHotSpotReporting**  
 
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">This policy has been deprecated.
 
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
new file mode 100644
index 0000000000..ba85960f84
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -0,0 +1,526 @@
+---
+title: Policy CSP - WindowsDefenderSecurityCenter
+description: Policy CSP - WindowsDefenderSecurityCenter
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/30/2017
+---
+
+# Policy CSP - WindowsDefenderSecurityCenter
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## WindowsDefenderSecurityCenter policies  
+
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-companyname"></a>**WindowsDefenderSecurityCenter/CompanyName**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options.
+
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disableappbrowserui"></a>**WindowsDefenderSecurityCenter/DisableAppBrowserUI**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) The users can see the display of the app and browser protection area in Windows Defender Security Center.
+- 1 - (Enable) The users cannot see the display of the app and browser protection area in Windows Defender Security Center.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disableenhancednotifications"></a>**WindowsDefenderSecurityCenter/DisableEnhancedNotifications**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users.
+
+> [!Note]  
+> If Suppress notification is enabled then users will not see critical or non-critical messages.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) Windows Defender Security Center will display critical and non-critical notifications to users..
+- 1 - (Enable) Windows Defender Security Center only display notifications which are considered critical on clients.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disablefamilyui"></a>**WindowsDefenderSecurityCenter/DisableFamilyUI**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) The users can see the display of the family options area in Windows Defender Security Center.
+- 1 - (Enable) The users cannot see the display of the family options area in Windows Defender Security Center.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disablehealthui"></a>**WindowsDefenderSecurityCenter/DisableHealthUI**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) The users can see the display of the device performance and health area in Windows Defender Security Center.
+- 1 - (Enable) The users cannot see the display of the device performance and health area in Windows Defender Security Center.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disablenetworkui"></a>**WindowsDefenderSecurityCenter/DisableNetworkUI**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) The users can see the display of the firewall and network protection area in Windows Defender Security Center.
+- 1 - (Enable) The users cannot see the display of the firewall and network protection area in Windows Defender Security Center.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disablenotifications"></a>**WindowsDefenderSecurityCenter/DisableNotifications**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) The users can see the display of Windows Defender Security Center notifications.
+- 1 - (Enable) The users cannot see the display of Windows Defender Security Center notifications.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disablevirusui"></a>**WindowsDefenderSecurityCenter/DisableVirusUI**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) The users can see the display of the virus and threat protection area in Windows Defender Security Center.
+- 1 - (Enable) The users cannot see the display of the virus and threat protection area in Windows Defender Security Center.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disallowexploitprotectionoverride"></a>**WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete.Valid values:
+
+- 0 - (Disable) Local users are allowed to make changes in the exploit protection settings area.
+- 1 - (Enable) Local users cannot make changes in the exploit protection settings area.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-email"></a>**WindowsDefenderSecurityCenter/Email**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. The email address that is displayed to users.  The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
+
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-enablecustomizedtoasts"></a>**WindowsDefenderSecurityCenter/EnableCustomizedToasts**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete. Valid values:
+
+- 0 - (Disable) Notifications contain a default notification text.
+- 1 - (Enable) Notifications contain the company name and contact options.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-enableinappcustomization"></a>**WindowsDefenderSecurityCenter/EnableInAppCustomization**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709.Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete. Valid values:
+
+- 0 - (Disable) Do not display the company name and contact options in the card fly out notification.
+- 1 - (Enable) Display the company name and contact options in the card fly out notification.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-phone"></a>**WindowsDefenderSecurityCenter/Phone**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. The phone number or Skype ID that is displayed to users.  Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
+
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-url"></a>**WindowsDefenderSecurityCenter/URL**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options.
+
+<p style="margin-left: 20px">Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index edce18a72e..32d34d88ec 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - WindowsInkWorkspace
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 29b2de31e3..22b96181e5 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - WindowsLogon
@@ -34,10 +35,10 @@ author: nickbrower
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
@@ -52,10 +53,18 @@ If you enable this policy setting, no app notifications are displayed on the loc
 If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off app notifications on the lock screen*
+-   GP English name: *Turn off app notifications on the lock screen*
 -   GP name: *DisableLockScreenAppNotifications*
+-   GP path: *System/Logon*
 -   GP ADMX file name: *logon.admx*
 
 <!--EndADMX-->
@@ -76,10 +85,10 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
@@ -94,10 +103,18 @@ If you enable this policy setting, the PC's network connectivity state cannot be
 If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
 
 <!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not display network selection UI*
+-   GP English name: *Do not display network selection UI*
 -   GP name: *DontDisplayNetworkSelectionUI*
+-   GP path: *System/Logon*
 -   GP ADMX file name: *logon.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index ab4b3cb9d6..ea09c4b3c7 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -6,6 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - WirelessDisplay
@@ -125,7 +126,7 @@ author: nickbrower
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="wirelessdisplay-Allowprojectiontopcoverinfrastructure"></a>**WirelessDisplay/AllowProjectionToPCOverInfrastructure**  
+<a href="" id="wirelessdisplay-allowprojectiontopcoverinfrastructure"></a>**WirelessDisplay/AllowProjectionToPCOverInfrastructure**  
 
 <!--StartSKU-->
 <table>
@@ -161,29 +162,6 @@ author: nickbrower
 <!--StartPolicy-->
 <a href="" id="wirelessdisplay-allowuserinputfromwirelessdisplayreceiver"></a>**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**  
 
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703.
 
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index ec16e08ca7..3e242783d4 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/30/2017
+ms.date: 08/23/2017
 ---
 
 # Policy DDF file
@@ -21,6 +21,7 @@ You can download the DDF files from the links below:
 
 - [Download the Policy DDF file for Windows 10, version 1703](http://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
 - [Download the Policy DDF file for Windows 10, version 1607](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)
+- [Download the Policy DDF file for Windows 10, version 1607 release 8C](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
 - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
 
 The XML below is the DDF for Windows 10, version 1709.
@@ -353,6 +354,941 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>Browser</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Get />
+            <Delete />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>AllowAddressBarDropdown</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowAutofill</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowBrowser</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowCookies</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This setting lets you configure how your company deals with cookies.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowDeveloperTools</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowDoNotTrack</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowExtensions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can load extensions in Microsoft Edge.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowFlash</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowFlashClickToRun</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Configure the Adobe Flash Click-to-Run setting.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowInPrivate</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can browse using InPrivate website browsing.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowMicrosoftCompatibilityList</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
+
+If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
+
+If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowPasswordManager</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can save their passwords locally, using Password Manager.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowPopups</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowSearchEngineCustomization</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
+
+If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
+If this setting is disabled, users will be unable to add search engines or change the default used in the address bar.
+
+This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowSearchSuggestionsinAddressBar</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowSmartScreen</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This setting lets you decide whether to turn on Windows Defender SmartScreen.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AlwaysEnableBooksLibrary</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ClearBrowsingDataOnExit</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Specifies whether to always clear browsing history on exiting Microsoft Edge.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ConfigureAdditionalSearchEngines</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Allows you to add up to 5 additional search engines for MDM-enrolled devices.
+
+If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default.
+
+If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableLockdownOfStartPages</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
+
+Note: This policy has no effect when Browser/HomePages is not configured.
+
+Important
+This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>EnterpriseModeSiteList</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>EnterpriseSiteListServiceUrl</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>FirstRunURL</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Configure first run URL.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>HomePages</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Configure the Start page URLs for your employees.
+Example:
+If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
+Encapsulate each string with greater than and less than characters like any other XML tag.
+
+Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LockdownFavorites</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventAccessToAboutFlagsInMicrosoftEdge</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Prevent access to the about:flags page in Microsoft Edge.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventFirstRunPage</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventLiveTileDataCollection</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventSmartScreenPromptOverride</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Don't allow Windows Defender SmartScreen warning overrides</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventSmartScreenPromptOverrideForFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Don't allow Windows Defender SmartScreen warning overrides for unverified files.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventUsingLocalHostIPAddressForWebRTC</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Prevent using localhost IP address for WebRTC</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ProvisionFavorites</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
+
+If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SendIntranetTraffictoInternetExplorer</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Sends all intranet traffic over to Internet Explorer.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SetDefaultSearchEngine</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
+
+If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING.
+
+If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees.  If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ShowMessageWhenOpeningSitesInInternetExplorer</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Show message when opening sites in Internet Explorer</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SyncFavoritesBetweenIEAndMicrosoftEdge</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>CredentialsUI</NodeName>
         <DFProperties>
@@ -467,7 +1403,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFType>
         </DFProperties>
         <Node>
-          <NodeName>AllowUserPrinterInstallation</NodeName>
+          <NodeName>DefaultPrinterName</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -475,9 +1411,9 @@ The XML below is the DDF for Windows 10, version 1709.
               <Get />
               <Replace />
             </AccessType>
-            <Description>Boolean that specifies whether or not to allow user to install new printers</Description>
+            <Description>This policy sets user's default printer</Description>
             <DFFormat>
-              <int/>
+              <chr/>
             </DFFormat>
             <Occurrence>
               <ZeroOrOne />
@@ -491,7 +1427,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>DefaultPrinterName</NodeName>
+          <NodeName>PreventAddingNewPrinters</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -499,9 +1435,9 @@ The XML below is the DDF for Windows 10, version 1709.
               <Get />
               <Replace />
             </AccessType>
-            <Description>This policy sets user's default printer</Description>
+            <Description>Boolean that specifies whether or not to prevent user to install new printers</Description>
             <DFFormat>
-              <chr/>
+              <int/>
             </DFFormat>
             <Occurrence>
               <ZeroOrOne />
@@ -1133,7 +2069,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>AllowInternetExplorer7PolicyList </NodeName>
+          <NodeName>AllowInternetExplorer7PolicyList</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -1757,7 +2693,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>DisableDeletingUserVisitedWebsites </NodeName>
+          <NodeName>DisableDeletingUserVisitedWebsites</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -2357,7 +3293,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>InternetZoneAllowLoadingOfXAMLFilesWRONG</NodeName>
+          <NodeName>InternetZoneAllowLoadingOfXAMLFiles</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -2597,31 +3533,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description></Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2</NodeName>
+          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -2861,55 +3773,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description></Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>InternetZoneJavaPermissionsWRONG1</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description></Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>InternetZoneJavaPermissionsWRONG2</NodeName>
+          <NodeName>InternetZoneJavaPermissions</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -3340,6 +4204,30 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>IntranetZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>IntranetZoneInitializeAndScriptActiveXControls</NodeName>
           <DFProperties>
@@ -3364,6 +4252,54 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>IntranetZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>IntranetZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -5501,31 +6437,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG1</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description></Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG2</NodeName>
+          <NodeName>RestrictedSitesZoneAllowFontDownloads</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -5908,6 +6820,30 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableCrossSiteScriptingFilter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</NodeName>
           <DFProperties>
@@ -6221,7 +7157,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG</NodeName>
+          <NodeName>RestrictedSitesZoneScriptingOfJavaApplets</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -6245,7 +7181,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG2</NodeName>
+          <NodeName>RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -6269,7 +7205,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG3</NodeName>
+          <NodeName>RestrictedSitesZoneTurnOnCrossSiteScriptingFilter</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -6293,7 +7229,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG4</NodeName>
+          <NodeName>RestrictedSitesZoneTurnOnProtectedMode</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -6317,7 +7253,7 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG5</NodeName>
+          <NodeName>RestrictedSitesZoneUsePopupBlocker</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -6652,6 +7588,54 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControls</NodeName>
           <DFProperties>
@@ -6676,6 +7660,54 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>TrustedSitesZoneJavaPermissions</NodeName>
           <DFProperties>
@@ -6724,54 +7756,6 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
           </DFProperties>
         </Node>
-        <Node>
-          <NodeName>TrustedSitesZoneWRONG1</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description></Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>TrustedSitesZoneWRONG2</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description></Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
       </Node>
       <Node>
         <NodeName>Notifications</NodeName>
@@ -7062,6 +8046,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -7108,6 +8093,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>AttachmentManager.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AttachmentManager~AT~WindowsComponents~AM_AM</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AM_MarkZoneOnSavedAtttachments</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7134,6 +8120,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>AttachmentManager.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AttachmentManager~AT~WindowsComponents~AM_AM</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AM_RemoveZoneInfo</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7160,6 +8147,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>AttachmentManager.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AttachmentManager~AT~WindowsComponents~AM_AM</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AM_CallIOfficeAntiVirus</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -7202,6 +8190,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -7248,6 +8237,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>AutoPlay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AutoPlay~AT~WindowsComponents~AutoPlay</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoAutoplayfornonVolume</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7274,6 +8264,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>AutoPlay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AutoPlay~AT~WindowsComponents~AutoPlay</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoAutorun</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7300,6 +8291,921 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>AutoPlay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AutoPlay~AT~WindowsComponents~AutoPlay</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Autorun</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>Browser</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>AllowAddressBarDropdown</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowAutofill</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowBrowser</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowCookies</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This setting lets you configure how your company deals with cookies.</Description>
+            <DefaultValue>2</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowDeveloperTools</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowDoNotTrack</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowExtensions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can load extensions in Microsoft Edge.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowFlash</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowFlashClickToRun</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Configure the Adobe Flash Click-to-Run setting.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowInPrivate</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can browse using InPrivate website browsing.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowMicrosoftCompatibilityList</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
+
+If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
+
+If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowPasswordManager</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This setting lets you decide whether employees can save their passwords locally, using Password Manager.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowPopups</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowSearchEngineCustomization</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
+
+If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
+If this setting is disabled, users will be unable to add search engines or change the default used in the address bar.
+
+This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowSearchSuggestionsinAddressBar</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowSmartScreen</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This setting lets you decide whether to turn on Windows Defender SmartScreen.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AlwaysEnableBooksLibrary</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ClearBrowsingDataOnExit</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Specifies whether to always clear browsing history on exiting Microsoft Edge.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ConfigureAdditionalSearchEngines</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Allows you to add up to 5 additional search engines for MDM-enrolled devices.
+
+If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default.
+
+If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableLockdownOfStartPages</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
+
+Note: This policy has no effect when Browser/HomePages is not configured.
+
+Important
+This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>EnterpriseModeSiteList</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>EnterpriseSiteListServiceUrl</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>FirstRunURL</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Configure first run URL.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>HomePages</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Configure the Start page URLs for your employees.
+Example:
+If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
+Encapsulate each string with greater than and less than characters like any other XML tag.
+
+Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LockdownFavorites</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventAccessToAboutFlagsInMicrosoftEdge</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Prevent access to the about:flags page in Microsoft Edge.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventFirstRunPage</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventLiveTileDataCollection</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventSmartScreenPromptOverride</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Don't allow Windows Defender SmartScreen warning overrides</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventSmartScreenPromptOverrideForFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Don't allow Windows Defender SmartScreen warning overrides for unverified files.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventUsingLocalHostIPAddressForWebRTC</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Prevent using localhost IP address for WebRTC</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ProvisionFavorites</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
+
+If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SendIntranetTraffictoInternetExplorer</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Sends all intranet traffic over to Internet Explorer.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SetDefaultSearchEngine</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
+
+If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING.
+
+If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees.  If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
+
+Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ShowMessageWhenOpeningSitesInInternetExplorer</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Show message when opening sites in Internet Explorer</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SyncFavoritesBetweenIEAndMicrosoftEdge</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -7346,6 +9252,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>credui.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>CredUI~AT~WindowsComponents~CredUI</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisablePasswordReveal</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -7392,6 +9299,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>desktop.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>desktop~AT~Desktop</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisablePersonalDirChange</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -7414,28 +9322,6 @@ The XML below is the DDF for Windows 10, version 1709.
             <DDFName></DDFName>
           </DFType>
         </DFProperties>
-        <Node>
-          <NodeName>AllowUserPrinterInstallation</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description>Boolean that specifies whether or not to allow user to install new printers</Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
         <Node>
           <NodeName>DefaultPrinterName</NodeName>
           <DFProperties>
@@ -7456,6 +9342,30 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventAddingNewPrinters</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Boolean that specifies whether or not to prevent user to install new printers</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7478,6 +9388,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -7520,6 +9431,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7542,6 +9454,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7551,7 +9464,7 @@ The XML below is the DDF for Windows 10, version 1709.
               <Get />
             </AccessType>
             <Description>A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority</Description>
-            <DefaultValue>E1CF1107-FF90-4228-93BF-26052DD2C714</DefaultValue>
+            <DefaultValue></DefaultValue>
             <DFFormat>
               <chr/>
             </DFFormat>
@@ -7564,6 +9477,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7586,6 +9500,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7608,6 +9523,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7630,6 +9546,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -7672,6 +9589,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7695,6 +9613,7 @@ The XML below is the DDF for Windows 10, version 1709.
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7718,6 +9637,7 @@ The XML below is the DDF for Windows 10, version 1709.
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7741,6 +9661,7 @@ The XML below is the DDF for Windows 10, version 1709.
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7763,6 +9684,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7785,6 +9707,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7808,6 +9731,7 @@ The XML below is the DDF for Windows 10, version 1709.
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -7854,6 +9778,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AddSearchProvider</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7880,6 +9805,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TurnOnActiveXFiltering</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7906,6 +9832,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AddonManagement_AddOnList</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7932,6 +9859,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RestrictFormSuggestPW</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7958,6 +9886,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyWarnCertMismatch</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -7984,6 +9913,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DBHDisableDeleteOnExit</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8010,6 +9940,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_EnableEnhancedProtectedMode</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8036,6 +9967,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnterpriseModeEnable</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8062,10 +9994,11 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnterpriseModeSiteList</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>AllowInternetExplorer7PolicyList </NodeName>
+          <NodeName>AllowInternetExplorer7PolicyList</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -8088,6 +10021,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>CompatView_UsePolicyList</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8114,6 +10048,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>CompatView_IntranetSites</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8140,6 +10075,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyInternetZoneTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8166,6 +10102,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyIntranetZoneTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8192,6 +10129,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLocalMachineZoneTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8218,6 +10156,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyInternetZoneLockdownTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8244,6 +10183,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyIntranetZoneLockdownTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8270,6 +10210,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLocalMachineZoneLockdownTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8296,6 +10237,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyRestrictedSitesZoneLockdownTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8322,6 +10264,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>UseIntranetSiteForOneWordEntry</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8348,6 +10291,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Zonemaps</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8374,6 +10318,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyTrustedSitesZoneLockdownTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8400,6 +10345,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_InvalidSignatureBlock</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8426,6 +10372,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyRestrictedSitesZoneTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8452,6 +10399,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnableSuggestedSites</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8478,6 +10426,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyTrustedSitesZoneTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8504,6 +10453,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_CertificateRevocation</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8530,6 +10480,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_DownloadSignatures</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8556,6 +10507,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8582,6 +10534,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableFlashInIE</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8608,6 +10561,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VerMgmtDisable</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8634,6 +10588,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableSafetyFilterOverride</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8660,6 +10615,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableSafetyFilterOverrideForAppRepUnknown</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8686,6 +10642,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RestrictHistory</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8712,6 +10669,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AddonManagement_RestrictCrashDetection</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8738,10 +10696,11 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SQM_DisableCEIP</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>DisableDeletingUserVisitedWebsites </NodeName>
+          <NodeName>DisableDeletingUserVisitedWebsites</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -8764,6 +10723,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DBHDisableDeleteHistory</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8790,6 +10750,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~RSS_Feeds</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Disable_Downloading_of_Enclosures</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8816,6 +10777,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_SetWinInetProtocols</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8842,6 +10804,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoFirstRunCustomise</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8868,6 +10831,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_DisableFlipAhead</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8894,6 +10858,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RestrictHomePage</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8920,6 +10885,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoCertError</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8946,6 +10912,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableInPrivateBrowsing</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8972,6 +10939,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_EnableEnhancedProtectedMode64Bit</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -8998,6 +10966,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RestrictProxy</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9024,6 +10993,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoSearchProvider</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9050,6 +11020,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SecondaryHomePages</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9076,6 +11047,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Disable_Security_Settings_Check</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9102,6 +11074,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_DisableEPMCompat</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9128,6 +11101,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VerMgmtDisable</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9154,6 +11128,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VerMgmtDomainAllowlist</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9180,6 +11155,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_IncludeUnspecifiedLocalSites</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9206,6 +11182,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_UNCAsIntranet</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9232,6 +11209,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9258,6 +11236,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9284,6 +11263,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9310,6 +11290,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAllowPasteViaScript_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9336,6 +11317,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDropOrPasteFiles_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9362,6 +11344,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9388,10 +11371,11 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>InternetZoneAllowLoadingOfXAMLFilesWRONG</NodeName>
+          <NodeName>InternetZoneAllowLoadingOfXAMLFiles</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -9414,6 +11398,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_XAML_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9440,6 +11425,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9464,8 +11450,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Intranet</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9490,8 +11477,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyAllowTDCControl_Both_LocalMachine</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowTDCControl_Both_Internet</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9518,6 +11506,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_WebBrowserControl_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9542,8 +11531,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyWindowsRestrictionsURLaction_6</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyWindowsRestrictionsURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9570,6 +11560,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9596,6 +11587,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9622,6 +11614,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_ScriptStatusBar_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9648,10 +11641,11 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1</NodeName>
+          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -9674,32 +11668,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_1</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9724,8 +11693,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_3</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9752,6 +11722,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDownloadUnsignedActiveX_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9776,8 +11747,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyTurnOnXSSFilter_Both_LocalMachine</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyTurnOnXSSFilter_Both_Internet</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9804,6 +11776,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9830,6 +11803,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9856,6 +11830,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyMimeSniffingURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9880,8 +11855,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_Policy_TurnOnProtectedMode_2</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_TurnOnProtectedMode_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9908,6 +11884,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_LocalPathForUpload_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -9934,36 +11911,11 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_1</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>InternetZoneJavaPermissionsWRONG1</NodeName>
+          <NodeName>InternetZoneJavaPermissions</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -9986,32 +11938,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_1</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>InternetZoneJavaPermissionsWRONG2</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10038,6 +11965,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLaunchAppsAndFilesInIFRAME_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10064,6 +11992,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLogon_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10090,6 +12019,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10116,6 +12046,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10142,6 +12073,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicySignedFrameworkComponentsURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10168,6 +12100,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_UnsafeFiles_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10194,6 +12127,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyBlockPopupWindows_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10220,6 +12154,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10246,6 +12181,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10272,6 +12208,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10298,6 +12235,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10324,6 +12262,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10350,6 +12289,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10376,6 +12316,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10402,6 +12343,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10428,6 +12370,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10454,6 +12397,34 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>IntranetZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10480,6 +12451,61 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>IntranetZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10506,6 +12532,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10532,6 +12559,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10558,6 +12586,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10584,6 +12613,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10610,6 +12640,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10636,6 +12667,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10662,6 +12694,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10688,6 +12721,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10714,6 +12748,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10740,6 +12775,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10764,8 +12800,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone~IZ_LocalMachineZone</MSFT:ADMXCategory>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10792,6 +12829,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10818,6 +12856,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10844,6 +12883,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10870,6 +12910,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10896,6 +12937,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10922,6 +12964,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10948,6 +12991,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -10974,6 +13018,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11000,6 +13045,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11026,6 +13072,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11052,6 +13099,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11078,6 +13126,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11104,6 +13153,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11130,6 +13180,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11156,6 +13207,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11182,6 +13234,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11208,6 +13261,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11234,6 +13288,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11260,6 +13315,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11286,6 +13342,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11312,6 +13369,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11338,6 +13396,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11364,6 +13423,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11390,6 +13450,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11416,6 +13477,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11442,6 +13504,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11468,6 +13531,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11494,6 +13558,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11520,6 +13585,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11546,6 +13612,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11572,6 +13639,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11598,6 +13666,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11624,6 +13693,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11650,6 +13720,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11676,6 +13747,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11702,6 +13774,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11728,6 +13801,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11754,6 +13828,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11780,6 +13855,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11806,6 +13882,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11832,6 +13909,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11858,6 +13936,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11884,6 +13963,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11910,6 +13990,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11936,6 +14017,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11962,6 +14044,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -11988,6 +14071,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12014,6 +14098,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12040,6 +14125,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12066,6 +14152,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12092,6 +14179,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12118,6 +14206,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12144,6 +14233,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12170,6 +14260,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12196,6 +14287,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12222,6 +14314,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12248,6 +14341,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12274,6 +14368,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12300,6 +14395,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12326,6 +14422,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12352,6 +14449,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12378,6 +14476,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12404,6 +14503,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12430,6 +14530,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12456,6 +14557,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12480,8 +14582,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Disable_Managing_Safety_Filter_IE9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12508,6 +14611,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisablePerUserActiveXInstall</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12534,6 +14638,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12560,6 +14665,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VerMgmtDisableRunThisTime</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12586,6 +14692,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_11</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12612,6 +14719,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12636,8 +14744,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyActiveScripting_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyActiveScripting_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12664,6 +14773,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12690,6 +14800,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12714,8 +14825,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyBinaryBehaviors_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyBinaryBehaviors_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12742,6 +14854,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAllowPasteViaScript_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12768,6 +14881,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDropOrPasteFiles_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12792,12 +14906,13 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyFileDownload_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyFileDownload_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG1</NodeName>
+          <NodeName>RestrictedSitesZoneAllowFontDownloads</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -12820,32 +14935,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_7</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG2</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12872,6 +14962,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12898,6 +14989,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_XAML_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12922,8 +15014,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyAllowMETAREFRESH_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowMETAREFRESH_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12950,6 +15043,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -12976,6 +15070,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13002,6 +15097,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAllowTDCControl_Both_Restricted</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13028,6 +15124,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_WebBrowserControl_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13054,6 +15151,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyWindowsRestrictionsURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13080,6 +15178,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13106,6 +15205,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13132,6 +15232,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_ScriptStatusBar_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13158,6 +15259,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13184,6 +15286,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13210,6 +15313,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13236,6 +15340,34 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDownloadUnsignedActiveX_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableCrossSiteScriptingFilter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyTurnOnXSSFilter_Both_Restricted</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13262,6 +15394,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13288,6 +15421,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13314,6 +15448,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyMimeSniffingURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13340,6 +15475,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_LocalPathForUpload_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13366,6 +15502,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13392,6 +15529,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13418,6 +15556,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLaunchAppsAndFilesInIFRAME_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13444,6 +15583,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLogon_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13470,6 +15610,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13494,8 +15635,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13520,8 +15662,9 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyRunActiveXControls_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyRunActiveXControls_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13548,6 +15691,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicySignedFrameworkComponentsURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13572,12 +15716,13 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXMarkedSafe_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXMarkedSafe_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG</NodeName>
+          <NodeName>RestrictedSitesZoneScriptingOfJavaApplets</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -13598,12 +15743,13 @@ The XML below is the DDF for Windows 10, version 1709.
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyScriptingOfJavaApplets_6</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptingOfJavaApplets_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG2</NodeName>
+          <NodeName>RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -13626,10 +15772,11 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_UnsafeFiles_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG3</NodeName>
+          <NodeName>RestrictedSitesZoneTurnOnCrossSiteScriptingFilter</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -13652,10 +15799,11 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyTurnOnXSSFilter_Both_Restricted</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG4</NodeName>
+          <NodeName>RestrictedSitesZoneTurnOnProtectedMode</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -13678,10 +15826,11 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_TurnOnProtectedMode_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG5</NodeName>
+          <NodeName>RestrictedSitesZoneUsePopupBlocker</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -13704,6 +15853,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyBlockPopupWindows_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13730,6 +15880,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_12</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13756,6 +15907,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13782,6 +15934,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SpecificSearchProvider</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13808,6 +15961,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>OnlyUseAXISForActiveXInstall</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13834,6 +15988,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13860,6 +16015,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13886,6 +16042,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13912,6 +16069,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13938,6 +16096,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13964,6 +16123,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -13990,6 +16150,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -14016,6 +16177,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -14042,6 +16204,61 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -14068,6 +16285,61 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -14094,6 +16366,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -14120,58 +16393,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_5</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>TrustedSitesZoneWRONG1</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_5</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>TrustedSitesZoneWRONG2</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -14214,6 +16436,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -14260,6 +16483,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <MSFT:ADMXBacked>Printing.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Printing~AT~ControlPanel~CplPrinters</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>PointAndPrint_Restrictions</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -14302,6 +16526,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -14345,6 +16570,7 @@ The XML below is the DDF for Windows 10, version 1709.
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -14387,6 +16613,7 @@ The XML below is the DDF for Windows 10, version 1709.
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -14642,87 +16869,6 @@ The XML below is the DDF for Windows 10, version 1709.
           </DFProperties>
         </Node>
       </Node>
-      <Node>
-        <NodeName>AccountPolicies</NodeName>
-        <DFProperties>
-          <AccessType>
-            <Add />
-            <Get />
-            <Delete />
-          </AccessType>
-          <DFFormat>
-            <node />
-          </DFFormat>
-          <Occurrence>
-            <ZeroOrOne />
-          </Occurrence>
-          <Scope>
-            <Dynamic />
-          </Scope>
-          <DFType>
-            <DDFName></DDFName>
-          </DFType>
-        </DFProperties>
-        <Node>
-          <NodeName>MinDevicePasswordLength</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.</Description>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>PasswordMustMeetComplexityRequirement</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This security setting determines whether passwords must meet complexity requirements.
-
-If this policy is enabled, passwords must meet the following minimum requirements:
-
-Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
-Be at least six characters in length
-Contain characters from three of the following four categories:
-English uppercase characters (A through Z)
-English lowercase characters (a through z)
-Base 10 digits (0 through 9)
-Non-alphabetic characters (for example, !, $, #, %)
-Complexity requirements are enforced when passwords are changed or created.</Description>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-      </Node>
       <Node>
         <NodeName>Accounts</NodeName>
         <DFProperties>
@@ -15910,6 +18056,30 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DDFName></DDFName>
           </DFType>
         </DFProperties>
+        <Node>
+          <NodeName>AllowAadPasswordReset</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Specifies whether password reset is enabled for AAD accounts.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowFastReconnect</NodeName>
           <DFProperties>
@@ -16537,7 +18707,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             </AccessType>
             <Description>This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
 
-If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
+If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
 
 If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.</Description>
             <DFFormat>
@@ -16679,6 +18849,30 @@ This policy will only apply on domain joined machines or when the device is MDM
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>AlwaysEnableBooksLibrary</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>ClearBrowsingDataOnExit</NodeName>
           <DFProperties>
@@ -16848,7 +19042,7 @@ Example:
 If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
 Encapsulate each string with greater than and less than characters like any other XML tag.
 
-Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.</Description>
+Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.</Description>
             <DFFormat>
               <chr/>
             </DFFormat>
@@ -16863,6 +19057,37 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, yo
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LockdownFavorites</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>PreventAccessToAboutFlagsInMicrosoftEdge</NodeName>
           <DFProperties>
@@ -17011,6 +19236,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>ProvisionFavorites</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
+
+If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>SendIntranetTraffictoInternetExplorer</NodeName>
           <DFProperties>
@@ -17181,6 +19437,102 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DDFName></DDFName>
           </DFType>
         </DFProperties>
+        <Node>
+          <NodeName>LetAppsAccessCellularData</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy setting specifies whether Windows apps can access cellular data.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData_ForceAllowTheseApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData_ForceDenyTheseApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>ShowAppCellularAccessUI</NodeName>
           <DFProperties>
@@ -17633,6 +19985,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>EnableWindowsAutoPilotResetCredentials</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
       </Node>
       <Node>
         <NodeName>CredentialsUI</NodeName>
@@ -18845,6 +21221,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DOCacheHost</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DODownloadMode</NodeName>
           <DFProperties>
@@ -19520,7 +21920,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <Get />
               <Replace />
             </AccessType>
-            <Description>Specifies how many passwords can be stored in the history that can’t be used.</Description>
+            <Description>Specifies how many passwords can be stored in the history that can’t be used.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -20468,6 +22868,52 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>ExploitGuard</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Get />
+            <Delete />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>ExploitProtectionSettings</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>Games</NodeName>
         <DFProperties>
@@ -20514,6 +22960,52 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>Handwriting</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Get />
+            <Delete />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>PanelDefaultModeDocked</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>InternetExplorer</NodeName>
         <DFProperties>
@@ -20752,7 +23244,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>AllowInternetExplorer7PolicyList </NodeName>
+          <NodeName>AllowInternetExplorer7PolicyList</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -21376,7 +23868,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>DisableDeletingUserVisitedWebsites </NodeName>
+          <NodeName>DisableDeletingUserVisitedWebsites</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -22024,7 +24516,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>InternetZoneAllowLoadingOfXAMLFilesWRONG</NodeName>
+          <NodeName>InternetZoneAllowLoadingOfXAMLFiles</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -22264,31 +24756,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description></Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2</NodeName>
+          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -22528,55 +24996,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description></Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>InternetZoneJavaPermissionsWRONG1</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description></Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>InternetZoneJavaPermissionsWRONG2</NodeName>
+          <NodeName>InternetZoneJavaPermissions</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -23007,6 +25427,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>IntranetZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>IntranetZoneInitializeAndScriptActiveXControls</NodeName>
           <DFProperties>
@@ -23031,6 +25475,54 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>IntranetZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>IntranetZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -25168,31 +27660,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG1</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description></Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG2</NodeName>
+          <NodeName>RestrictedSitesZoneAllowFontDownloads</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -25575,6 +28043,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableCrossSiteScriptingFilter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</NodeName>
           <DFProperties>
@@ -25888,7 +28380,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG</NodeName>
+          <NodeName>RestrictedSitesZoneScriptingOfJavaApplets</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -25912,7 +28404,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG2</NodeName>
+          <NodeName>RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -25936,7 +28428,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG3</NodeName>
+          <NodeName>RestrictedSitesZoneTurnOnCrossSiteScriptingFilter</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -25960,7 +28452,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG4</NodeName>
+          <NodeName>RestrictedSitesZoneTurnOnProtectedMode</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -25984,7 +28476,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG5</NodeName>
+          <NodeName>RestrictedSitesZoneUsePopupBlocker</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -26080,7 +28572,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>SecurityZonesUseOnlyMachineSettings</NodeName>
+          <NodeName>SecurityZonesUseOnlyMachineSettings </NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -26343,6 +28835,54 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControls</NodeName>
           <DFProperties>
@@ -26367,6 +28907,54 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>TrustedSitesZoneJavaPermissions</NodeName>
           <DFProperties>
@@ -26415,54 +29003,6 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
           </DFProperties>
         </Node>
-        <Node>
-          <NodeName>TrustedSitesZoneWRONG1</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description></Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>TrustedSitesZoneWRONG2</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description></Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
       </Node>
       <Node>
         <NodeName>Kerberos</NodeName>
@@ -26708,9 +29248,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </AccessType>
             <Description>This policy setting prevents users from adding new Microsoft accounts on this computer.
 
-If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
 
-If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
+If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
 
 If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.</Description>
             <DFFormat>
@@ -26883,6 +29423,130 @@ Default: Guest.</Description>
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>Devices_AllowedToFormatAndEjectRemovableMedia</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Devices: Allowed to format and eject removable media
+
+This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
+
+Administrators
+Administrators and Interactive Users
+
+Default: This policy is not defined and only Administrators have this ability.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Devices_AllowUndockWithoutHavingToLogon</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Devices: Allow undock without having to log on
+This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
+Default: Enabled.
+
+Caution
+Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Devices: Prevent users from installing printer drivers when connecting to shared printers
+
+For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
+
+Default on servers: Enabled.
+Default on workstations: Disabled
+
+Notes
+
+This setting does not affect the ability to add a local printer.
+This setting does not affect Administrators.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Devices: Restrict CD-ROM access to locally logged-on user only
+
+This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.
+
+If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.
+
+Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</NodeName>
           <DFProperties>
@@ -26911,7 +29575,7 @@ Do not display user information (3)</Description>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>Interactivelogon_DoNotDisplayLastSignedIn</NodeName>
+          <NodeName>InteractiveLogon_DoNotDisplayLastSignedIn</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -26941,7 +29605,7 @@ Default: Disabled.</Description>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>Interactivelogon_DoNotDisplayUsernameAtSignIn</NodeName>
+          <NodeName>InteractiveLogon_DoNotDisplayUsernameAtSignIn</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -26971,7 +29635,7 @@ Default: Disabled.</Description>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>Interactivelogon_DoNotRequireCTRLALTDEL</NodeName>
+          <NodeName>InteractiveLogon_DoNotRequireCTRLALTDEL</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -27233,6 +29897,39 @@ Default: This policy is not defined and automatic administrative logon is not al
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Shutdown: Allow system to be shut down without having to log on
+
+This security setting determines whether a computer can be shut down without having to log on to Windows.
+
+When this policy is enabled, the Shut Down command is available on the Windows logon screen.
+
+When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
+
+Default on workstations: Enabled.
+Default on servers: Disabled.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>Shutdown_ClearVirtualMemoryPageFile</NodeName>
           <DFProperties>
@@ -27278,9 +29975,9 @@ Default: Disabled.</Description>
 
 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
 
-• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
 
-• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.</Description>
+• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -27310,17 +30007,17 @@ This policy setting controls the behavior of the elevation prompt for administra
 
 The options are:
 
-• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
 
-• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
 
-• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
 
-• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
 
-• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
 
-• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.</Description>
+• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -27349,11 +30046,43 @@ This policy setting controls the behavior of the elevation prompt for standard u
 
 The options are:
 
-• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
 
-• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
 
-• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.</Description>
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>User Account Control: Detect application installations and prompt for elevation
+
+This policy setting controls the behavior of application installation detection for the computer.
+
+The options are:
+
+Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -27383,9 +30112,9 @@ This policy setting enforces public key infrastructure (PKI) signature checks fo
 
 The options are:
 
-• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
 
-• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.</Description>
+• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -27413,17 +30142,17 @@ The options are:
 
 This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
 
-- …\Program Files\, including subfolders
-- …\Windows\system32\
-- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+- …\Program Files\, including subfolders
+- …\Windows\system32\
+- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
 
 Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
 
 The options are:
 
-• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
 
-• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.</Description>
+• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -27453,9 +30182,9 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
 
 The options are:
 
-• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
 
-• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
+• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -27485,9 +30214,9 @@ This policy setting controls whether the elevation request prompt is displayed o
 
 The options are:
 
-• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
 
-• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.</Description>
+• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -27517,9 +30246,9 @@ This policy setting controls the behavior of Admin Approval Mode for the built-i
 
 The options are:
 
-• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
+• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
 
-• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.</Description>
+• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -27549,9 +30278,9 @@ This policy setting controls whether application write failures are redirected t
 
 The options are:
 
-• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
 
-• Disabled: Applications that write data to protected locations fail.</Description>
+• Disabled: Applications that write data to protected locations fail.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -28846,102 +31575,6 @@ The options are:
             </DFType>
           </DFProperties>
         </Node>
-        <Node>
-          <NodeName>LetAppsAccessCellularData</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This policy setting specifies whether Windows apps can access cellular data.</Description>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>LetAppsAccessCellularData_ForceAllowTheseApps</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>LetAppsAccessCellularData_ForceDenyTheseApps</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>LetAppsAccessCellularData_UserInControlOfTheseApps</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data privacy setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
         <Node>
           <NodeName>LetAppsAccessContacts</NodeName>
           <DFProperties>
@@ -30199,7 +32832,7 @@ The options are:
               <Get />
               <Replace />
             </AccessType>
-            <Description>This policy setting specifies whether Windows apps can sync with devices.</Description>
+            <Description>This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -30223,7 +32856,7 @@ The options are:
               <Get />
               <Replace />
             </AccessType>
-            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
             <DFFormat>
               <chr/>
             </DFFormat>
@@ -30247,7 +32880,7 @@ The options are:
               <Get />
               <Replace />
             </AccessType>
-            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
             <DFFormat>
               <chr/>
             </DFFormat>
@@ -30271,7 +32904,7 @@ The options are:
               <Get />
               <Replace />
             </AccessType>
-            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
             <DFFormat>
               <chr/>
             </DFFormat>
@@ -31258,6 +33891,30 @@ The options are:
             <DDFName></DDFName>
           </DFType>
         </DFProperties>
+        <Node>
+          <NodeName>AllowCloudSearch</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowIndexingEncryptedStoresOrItems</NodeName>
           <DFProperties>
@@ -32950,6 +35607,30 @@ The options are:
             <DDFName></DDFName>
           </DFType>
         </DFProperties>
+        <Node>
+          <NodeName>AllowDiskHealthModelUpdates</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>EnhancedStorageDevices</NodeName>
           <DFProperties>
@@ -33221,7 +35902,7 @@ The options are:
               <Get />
               <Replace />
             </AccessType>
-            <Description>This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.</Description>
+            <Description>This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -33260,6 +35941,30 @@ The options are:
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>FeedbackHubAlwaysSaveDiagnosticsLocally</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>TelemetryProxy</NodeName>
           <DFProperties>
@@ -34070,6 +36775,30 @@ The options are:
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisableDualScan</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Do not allow update deferral policies to cause scans against Windows Update</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>EngagedRestartDeadline</NodeName>
           <DFProperties>
@@ -34239,7 +36968,7 @@ The options are:
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>ManageBuildPreview</NodeName>
+          <NodeName>ManagePreviewBuilds</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -35739,6 +38468,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -35761,6 +38491,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -35783,83 +38514,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
-          </DFProperties>
-        </Node>
-      </Node>
-      <Node>
-        <NodeName>AccountPolicies</NodeName>
-        <DFProperties>
-          <AccessType>
-            <Get />
-          </AccessType>
-          <DFFormat>
-            <node />
-          </DFFormat>
-          <Occurrence>
-            <One />
-          </Occurrence>
-          <Scope>
-            <Permanent />
-          </Scope>
-          <DFType>
-            <DDFName></DDFName>
-          </DFType>
-        </DFProperties>
-        <Node>
-          <NodeName>MinDevicePasswordLength</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description>This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.</Description>
-            <DefaultValue>7</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>PasswordMustMeetComplexityRequirement</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description>This security setting determines whether passwords must meet complexity requirements.
-
-If this policy is enabled, passwords must meet the following minimum requirements:
-
-Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
-Be at least six characters in length
-Contain characters from three of the following four categories:
-English uppercase characters (A through Z)
-English lowercase characters (a through z)
-Base 10 digits (0 through 9)
-Non-alphabetic characters (for example, !, $, #, %)
-Complexity requirements are enforced when passwords are changed or created.</Description>
-            <DefaultValue>0</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -35902,6 +38557,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -35924,6 +38580,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -35946,6 +38603,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -35968,6 +38626,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -36014,6 +38673,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>ActiveXInstallService.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ActiveXInstallService~AT~WindowsComponents~AxInstSv</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ApprovedActiveXInstallSites</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -36057,6 +38717,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -36099,6 +38760,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36121,6 +38783,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36143,6 +38806,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36166,6 +38830,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36188,6 +38853,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36211,6 +38877,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36234,6 +38901,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36256,6 +38924,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36278,6 +38947,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36300,6 +38970,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -36346,6 +39017,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnableAppV</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36372,6 +39044,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Virtualization</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Virtualization_JITVEnable</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36398,6 +39071,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_PackageManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>PackageManagement_AutoCleanupEnable</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36424,6 +39098,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Scripting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Scripting_Enable_Package_Scripts</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36450,6 +39125,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Publishing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Enable_Publishing_Refresh_UX</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36476,6 +39152,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Reporting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Reporting_Server_Policy</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36502,6 +39179,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Integration</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Integration_Roaming_File_Exclusions</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36528,6 +39206,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Integration</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Integration_Roaming_Registry_Exclusions</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36554,6 +39233,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Steaming_Autoload</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36580,6 +39260,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Client_Coexistence</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Client_Coexistence_Enable_Migration_mode</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36606,6 +39287,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Integration</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Integration_Root_User</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36632,6 +39314,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Integration</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Integration_Root_Global</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36658,6 +39341,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Publishing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Publishing_Server1_Policy</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36684,6 +39368,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Publishing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Publishing_Server2_Policy</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36710,6 +39395,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Publishing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Publishing_Server3_Policy</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36736,6 +39422,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Publishing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Publishing_Server4_Policy</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36762,6 +39449,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Publishing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Publishing_Server5_Policy</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36788,6 +39476,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Certificate_Filter_For_Client_SSL</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36814,6 +39503,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Allow_High_Cost_Launch</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36840,6 +39530,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Location_Provider</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36866,6 +39557,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Package_Installation_Root</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36892,6 +39584,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Package_Source_Root</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36918,6 +39611,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Reestablishment_Interval</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36944,6 +39638,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Reestablishment_Retries</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36970,6 +39665,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Shared_Content_Store_Mode</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -36996,6 +39692,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Support_Branch_Cache</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37022,6 +39719,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Verify_Certificate_Revocation_List</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37048,6 +39746,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Virtualization</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Virtualization_JITVAllowList</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -37070,6 +39769,30 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DDFName></DDFName>
           </DFType>
         </DFProperties>
+        <Node>
+          <NodeName>AllowAadPasswordReset</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Specifies whether password reset is enabled for AAD accounts.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowFastReconnect</NodeName>
           <DFProperties>
@@ -37090,6 +39813,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37113,6 +39837,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37135,6 +39860,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -37181,6 +39907,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>AutoPlay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AutoPlay~AT~WindowsComponents~AutoPlay</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoAutoplayfornonVolume</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37207,6 +39934,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>AutoPlay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AutoPlay~AT~WindowsComponents~AutoPlay</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoAutorun</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37233,6 +39961,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <MSFT:ADMXBacked>AutoPlay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AutoPlay~AT~WindowsComponents~AutoPlay</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Autorun</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -37275,6 +40004,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -37317,6 +40047,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37339,6 +40070,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37361,6 +40093,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37383,6 +40116,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37405,6 +40139,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -37448,6 +40183,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37470,6 +40206,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37493,6 +40230,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37515,6 +40253,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37538,6 +40277,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37560,6 +40300,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37583,6 +40324,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37606,6 +40348,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37629,6 +40372,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37651,6 +40395,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37661,7 +40406,7 @@ Complexity requirements are enforced when passwords are changed or created.</Des
             </AccessType>
             <Description>This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
 
-If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
+If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
 
 If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.</Description>
             <DefaultValue>1</DefaultValue>
@@ -37677,6 +40422,7 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37699,6 +40445,7 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37722,6 +40469,7 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37749,6 +40497,7 @@ This policy will only apply on domain joined machines or when the device is MDM
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37771,6 +40520,7 @@ This policy will only apply on domain joined machines or when the device is MDM
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37793,6 +40543,30 @@ This policy will only apply on domain joined machines or when the device is MDM
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AlwaysEnableBooksLibrary</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37816,6 +40590,7 @@ This policy will only apply on domain joined machines or when the device is MDM
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37844,6 +40619,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37872,6 +40648,7 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37895,6 +40672,7 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37918,6 +40696,7 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37941,6 +40720,7 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37954,7 +40734,7 @@ Example:
 If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
 Encapsulate each string with greater than and less than characters like any other XML tag.
 
-Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.</Description>
+Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.</Description>
             <DefaultValue></DefaultValue>
             <DFFormat>
               <chr/>
@@ -37969,6 +40749,37 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, yo
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LockdownFavorites</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -37991,6 +40802,7 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, yo
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38016,6 +40828,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38040,6 +40853,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38062,6 +40876,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38084,6 +40899,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38106,6 +40922,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ProvisionFavorites</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
+
+If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
+
+Important
+Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38129,6 +40976,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38157,6 +41005,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38180,6 +41029,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38203,6 +41053,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -38245,6 +41096,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -38267,6 +41119,101 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DDFName></DDFName>
           </DFType>
         </DFProperties>
+        <Node>
+          <NodeName>LetAppsAccessCellularData</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This policy setting specifies whether Windows apps can access cellular data.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData_ForceAllowTheseApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData_ForceDenyTheseApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>ShowAppCellularAccessUI</NodeName>
           <DFProperties>
@@ -38290,6 +41237,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>wwansvc.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>wwansvc~AT~Network~WwanSvc_Category~UISettings_Category</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ShowAppCellularAccessUI</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -38332,6 +41280,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38354,6 +41303,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38376,6 +41326,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38398,6 +41349,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38421,6 +41373,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38444,6 +41397,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38466,6 +41420,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38488,6 +41443,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38514,6 +41470,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>ICM.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ICM~AT~System~InternetManagement~InternetManagement_Settings</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableHTTPPrinting_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38540,6 +41497,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>ICM.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ICM~AT~System~InternetManagement~InternetManagement_Settings</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableWebPnPDownload_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38566,6 +41524,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>ICM.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ICM~AT~System~InternetManagement~InternetManagement_Settings</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ShellPreventWPWDownload_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38588,6 +41547,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38614,6 +41574,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>networkprovider.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>NetworkProvider~AT~Network~Cat_NetworkProvider</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Pol_HardenedPaths</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38640,6 +41601,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>NetworkConnections.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>NetworkConnections~AT~Network~NetworkConnections</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NC_AllowNetBridge_NLA</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -38686,6 +41648,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>credentialproviders.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>CredentialProviders~AT~System~Logon</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AllowDomainPINLogon</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38712,6 +41675,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>credentialproviders.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>CredentialProviders~AT~System~Logon</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>BlockDomainPicturePassword</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>EnableWindowsAutoPilotResetCredentials</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -38758,6 +41745,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>credui.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>CredUI~AT~WindowsComponents~CredUI</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisablePasswordReveal</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38784,6 +41772,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>credui.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>CredUI~AT~WindowsComponents~CredUI</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnumerateAdministrators</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -38826,6 +41815,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38848,6 +41838,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -38890,6 +41881,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38912,6 +41904,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -38957,6 +41950,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>wwansvc.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SetCost3G</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -38982,6 +41976,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>wwansvc.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SetCost4G</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -39025,6 +42020,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39048,6 +42044,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39071,6 +42068,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39094,6 +42092,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39117,6 +42116,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39140,6 +42140,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39163,6 +42164,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39186,6 +42188,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39209,6 +42212,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39232,6 +42236,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39255,6 +42260,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39278,6 +42284,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39301,6 +42308,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39324,6 +42332,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39347,6 +42356,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39370,6 +42380,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39393,6 +42404,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39416,6 +42428,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39439,6 +42452,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39462,6 +42476,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39485,6 +42500,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39508,6 +42524,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39531,6 +42548,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39554,6 +42572,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39577,6 +42596,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39600,6 +42620,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39623,6 +42644,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39646,6 +42668,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39669,6 +42692,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39692,6 +42716,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39715,6 +42740,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39738,6 +42764,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39761,6 +42788,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39784,6 +42812,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39807,6 +42836,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -39850,6 +42880,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39873,6 +42904,31 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DOCacheHost</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39896,6 +42952,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39919,6 +42976,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39942,6 +43000,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39965,6 +43024,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -39988,6 +43048,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40011,6 +43072,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40034,6 +43096,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40057,6 +43120,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40080,6 +43144,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40103,6 +43168,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40126,6 +43192,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40149,6 +43216,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40172,6 +43240,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40195,6 +43264,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -40238,6 +43308,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40261,6 +43332,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecureZeroHasNoLimits</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40284,6 +43356,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -40330,6 +43403,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>deviceinstallation.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DeviceInstall_IDs_Deny</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40356,6 +43430,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ADMXBacked>deviceinstallation.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DeviceInstall_Classes_Deny</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -40399,6 +43474,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40421,6 +43497,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40443,6 +43520,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40465,6 +43543,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40487,6 +43566,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40509,6 +43589,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecureZeroHasNoLimits</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40517,7 +43598,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <AccessType>
               <Get />
             </AccessType>
-            <Description>Specifies how many passwords can be stored in the history that can’t be used.</Description>
+            <Description>Specifies how many passwords can be stored in the history that can’t be used.</Description>
             <DefaultValue>0</DefaultValue>
             <DFFormat>
               <int/>
@@ -40531,6 +43612,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40554,6 +43636,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40576,6 +43659,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40598,6 +43682,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecureZeroHasNoLimits</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40620,6 +43705,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecureZeroHasNoLimits</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40643,6 +43729,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40665,6 +43752,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40687,6 +43775,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecureZeroHasNoLimits</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40714,6 +43803,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40740,6 +43830,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>ControlPanelDisplay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ControlPanelDisplay~AT~ControlPanel~Personalization</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>CPL_Personalization_NoLockScreenSlideshow</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40762,6 +43853,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -40805,6 +43897,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40828,6 +43921,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -40874,6 +43968,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>ErrorReporting.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>WerConsentCustomize_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40900,6 +43995,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>ErrorReporting.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>WerDisable_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40926,6 +44022,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>ErrorReporting.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>PCH_ShowUI</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40952,6 +44049,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>ErrorReporting.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>WerNoSecondLevelData_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -40978,6 +44076,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>ErrorReporting.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>WerDoNotShowUI</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -41024,6 +44123,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>eventlog.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Channel_Log_Retention_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41050,6 +44150,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>eventlog.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Channel_LogMaxSize_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41076,6 +44177,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>eventlog.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Security</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Channel_LogMaxSize_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41102,6 +44204,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>eventlog.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>EventLog~AT~WindowsComponents~EventLogCategory~EventLog_System</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Channel_LogMaxSize_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -41145,6 +44248,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41167,6 +44271,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41189,6 +44294,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41211,6 +44317,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41233,6 +44340,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41255,6 +44363,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41277,6 +44386,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41299,6 +44409,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41321,6 +44432,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41343,6 +44455,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41366,6 +44479,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41389,6 +44503,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41412,6 +44527,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41434,6 +44550,50 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>ExploitGuard</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>ExploitProtectionSettings</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -41476,6 +44636,51 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>Handwriting</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>PanelDefaultModeDocked</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -41522,6 +44727,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AddSearchProvider</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41548,6 +44754,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TurnOnActiveXFiltering</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41574,6 +44781,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AddonManagement_AddOnList</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41600,6 +44808,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyWarnCertMismatch</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41626,6 +44835,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DBHDisableDeleteOnExit</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41652,6 +44862,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_EnableEnhancedProtectedMode</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41678,6 +44889,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnterpriseModeEnable</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41704,6 +44916,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnterpriseModeSiteList</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41730,10 +44943,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_EnableSSL3Fallback</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>AllowInternetExplorer7PolicyList </NodeName>
+          <NodeName>AllowInternetExplorer7PolicyList</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -41756,6 +44970,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>CompatView_UsePolicyList</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41782,6 +44997,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>CompatView_IntranetSites</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41808,6 +45024,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyInternetZoneTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41834,6 +45051,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyIntranetZoneTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41860,6 +45078,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLocalMachineZoneTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41886,6 +45105,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyInternetZoneLockdownTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41912,6 +45132,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyIntranetZoneLockdownTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41938,6 +45159,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLocalMachineZoneLockdownTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41964,6 +45186,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyRestrictedSitesZoneLockdownTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -41990,6 +45213,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>UseIntranetSiteForOneWordEntry</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42016,6 +45240,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Zonemaps</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42042,6 +45267,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyTrustedSitesZoneLockdownTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42068,6 +45294,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_InvalidSignatureBlock</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42094,6 +45321,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyRestrictedSitesZoneTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42120,6 +45348,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnableSuggestedSites</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42146,6 +45375,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyTrustedSitesZoneTemplate</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42172,6 +45402,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_CertificateRevocation</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42198,6 +45429,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_DownloadSignatures</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42224,6 +45456,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42250,6 +45483,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableFlashInIE</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42276,6 +45510,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VerMgmtDisable</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42300,6 +45535,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisableSafetyFilterOverride</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42324,6 +45562,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisableSafetyFilterOverrideForAppRepUnknown</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42350,6 +45591,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RestrictHistory</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42374,6 +45616,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>AddonManagement_RestrictCrashDetection</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42400,10 +45645,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SQM_DisableCEIP</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>DisableDeletingUserVisitedWebsites </NodeName>
+          <NodeName>DisableDeletingUserVisitedWebsites</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -42426,6 +45672,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DBHDisableDeleteHistory</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42452,6 +45699,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~RSS_Feeds</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Disable_Downloading_of_Enclosures</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42478,6 +45726,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_SetWinInetProtocols</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42504,6 +45753,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoFirstRunCustomise</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42530,6 +45780,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_DisableFlipAhead</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42556,6 +45807,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoCertError</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42582,6 +45834,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableInPrivateBrowsing</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42608,6 +45861,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_EnableEnhancedProtectedMode64Bit</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42632,6 +45886,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>RestrictProxy</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42658,6 +45915,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoSearchProvider</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42684,6 +45942,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SecondaryHomePages</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42710,6 +45969,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Disable_Security_Settings_Check</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42736,6 +45996,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoUpdateCheck</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42762,6 +46023,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_DisableEPMCompat</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42788,6 +46050,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Security_zones_map_edit</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42814,6 +46077,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Security_options_edit</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42840,6 +46104,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VerMgmtDisable</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42866,6 +46131,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VerMgmtDomainAllowlist</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42892,6 +46158,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_IncludeUnspecifiedLocalSites</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42918,6 +46185,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_UNCAsIntranet</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42944,6 +46212,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42970,6 +46239,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -42996,6 +46266,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43022,6 +46293,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAllowPasteViaScript_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43048,6 +46320,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDropOrPasteFiles_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43074,6 +46347,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43100,10 +46374,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>InternetZoneAllowLoadingOfXAMLFilesWRONG</NodeName>
+          <NodeName>InternetZoneAllowLoadingOfXAMLFiles</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -43126,6 +46401,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_XAML_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43152,6 +46428,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43176,8 +46453,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Intranet</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43202,8 +46480,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyAllowTDCControl_Both_LocalMachine</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowTDCControl_Both_Internet</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43230,6 +46509,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_WebBrowserControl_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43254,8 +46534,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyWindowsRestrictionsURLaction_6</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyWindowsRestrictionsURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43282,6 +46563,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43308,6 +46590,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43334,6 +46617,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_ScriptStatusBar_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43360,10 +46644,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1</NodeName>
+          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -43386,32 +46671,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_1</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43436,8 +46696,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_3</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43464,6 +46725,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDownloadUnsignedActiveX_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43488,8 +46750,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyTurnOnXSSFilter_Both_LocalMachine</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyTurnOnXSSFilter_Both_Internet</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43516,6 +46779,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43542,6 +46806,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43568,6 +46833,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyMimeSniffingURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43592,8 +46858,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_Policy_TurnOnProtectedMode_2</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_TurnOnProtectedMode_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43620,6 +46887,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_LocalPathForUpload_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43646,36 +46914,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_1</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>InternetZoneJavaPermissionsWRONG1</NodeName>
+          <NodeName>InternetZoneJavaPermissions</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -43698,32 +46941,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_1</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>InternetZoneJavaPermissionsWRONG2</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43750,6 +46968,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLaunchAppsAndFilesInIFRAME_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43776,6 +46995,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLogon_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43802,6 +47022,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43828,6 +47049,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43854,6 +47076,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicySignedFrameworkComponentsURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43880,6 +47103,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_UnsafeFiles_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43906,6 +47130,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyBlockPopupWindows_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43932,6 +47157,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43958,6 +47184,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -43984,6 +47211,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44010,6 +47238,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44036,6 +47265,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44062,6 +47292,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44088,6 +47319,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44114,6 +47346,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44140,6 +47373,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44166,6 +47400,34 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>IntranetZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44192,6 +47454,61 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>IntranetZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44218,6 +47535,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44244,6 +47562,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44270,6 +47589,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44296,6 +47616,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44322,6 +47643,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44348,6 +47670,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44374,6 +47697,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44400,6 +47724,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44426,6 +47751,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44452,6 +47778,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44476,8 +47803,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone~IZ_LocalMachineZone</MSFT:ADMXCategory>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44504,6 +47832,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44530,6 +47859,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44556,6 +47886,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44582,6 +47913,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44608,6 +47940,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44634,6 +47967,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44660,6 +47994,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44686,6 +48021,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44712,6 +48048,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44738,6 +48075,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44764,6 +48102,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44790,6 +48129,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44816,6 +48156,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44842,6 +48183,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44868,6 +48210,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44894,6 +48237,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44920,6 +48264,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44946,6 +48291,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44972,6 +48318,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -44998,6 +48345,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45024,6 +48372,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45050,6 +48399,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45076,6 +48426,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45102,6 +48453,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45128,6 +48480,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45154,6 +48507,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_4</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45180,6 +48534,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45206,6 +48561,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45232,6 +48588,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45258,6 +48615,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45284,6 +48642,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45310,6 +48669,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45336,6 +48696,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45362,6 +48723,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45388,6 +48750,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45414,6 +48777,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45440,6 +48804,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45466,6 +48831,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45492,6 +48858,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45518,6 +48885,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45544,6 +48912,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45570,6 +48939,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45596,6 +48966,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45622,6 +48993,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45648,6 +49020,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45674,6 +49047,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45700,6 +49074,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45726,6 +49101,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45752,6 +49128,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45778,6 +49155,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45804,6 +49182,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45830,6 +49209,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45856,6 +49236,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45882,6 +49263,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45908,6 +49290,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45934,6 +49317,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45960,6 +49344,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -45986,6 +49371,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46012,6 +49398,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46038,6 +49425,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46064,6 +49452,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46090,6 +49479,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46116,6 +49506,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_6</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46142,6 +49533,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_3</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46168,6 +49560,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_10</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46192,8 +49585,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Disable_Managing_Safety_Filter_IE9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46220,6 +49614,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisablePerUserActiveXInstall</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46246,6 +49641,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_9</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46272,6 +49668,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VerMgmtDisableRunThisTime</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46298,6 +49695,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_11</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46324,6 +49722,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46348,8 +49747,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyActiveScripting_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyActiveScripting_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46376,6 +49776,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46402,6 +49803,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46426,8 +49828,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyBinaryBehaviors_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyBinaryBehaviors_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46454,6 +49857,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAllowPasteViaScript_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46480,6 +49884,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDropOrPasteFiles_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46504,12 +49909,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyFileDownload_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyFileDownload_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG1</NodeName>
+          <NodeName>RestrictedSitesZoneAllowFontDownloads</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -46532,32 +49938,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_7</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG2</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46584,6 +49965,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46610,6 +49992,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_XAML_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46634,8 +50017,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyAllowMETAREFRESH_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowMETAREFRESH_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46662,6 +50046,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46688,6 +50073,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46714,6 +50100,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAllowTDCControl_Both_Restricted</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46740,6 +50127,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_WebBrowserControl_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46766,6 +50154,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyWindowsRestrictionsURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46792,6 +50181,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46818,6 +50208,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46844,6 +50235,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_ScriptStatusBar_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46870,6 +50262,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46896,6 +50289,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46922,6 +50316,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46948,6 +50343,34 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDownloadUnsignedActiveX_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableCrossSiteScriptingFilter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyTurnOnXSSFilter_Both_Restricted</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -46974,6 +50397,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47000,6 +50424,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47026,6 +50451,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyMimeSniffingURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47052,6 +50478,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_LocalPathForUpload_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47078,6 +50505,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47104,6 +50532,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47130,6 +50559,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLaunchAppsAndFilesInIFRAME_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47156,6 +50586,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLogon_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47182,6 +50613,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47206,8 +50638,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47232,8 +50665,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyRunActiveXControls_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyRunActiveXControls_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47260,6 +50694,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicySignedFrameworkComponentsURLaction_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47284,12 +50719,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXMarkedSafe_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXMarkedSafe_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG</NodeName>
+          <NodeName>RestrictedSitesZoneScriptingOfJavaApplets</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -47310,12 +50746,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyScriptingOfJavaApplets_6</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptingOfJavaApplets_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG2</NodeName>
+          <NodeName>RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -47338,10 +50775,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_UnsafeFiles_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG3</NodeName>
+          <NodeName>RestrictedSitesZoneTurnOnCrossSiteScriptingFilter</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -47364,10 +50802,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyTurnOnXSSFilter_Both_Restricted</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG4</NodeName>
+          <NodeName>RestrictedSitesZoneTurnOnProtectedMode</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -47390,10 +50829,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_TurnOnProtectedMode_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneWRONG5</NodeName>
+          <NodeName>RestrictedSitesZoneUsePopupBlocker</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -47416,6 +50856,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyBlockPopupWindows_7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47442,6 +50883,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_12</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47468,6 +50910,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_8</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47494,10 +50937,11 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SpecificSearchProvider</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>SecurityZonesUseOnlyMachineSettings</NodeName>
+          <NodeName>SecurityZonesUseOnlyMachineSettings </NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -47520,6 +50964,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Security_HKLM_only</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47546,6 +50991,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>OnlyUseAXISForActiveXInstall</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47572,6 +51018,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47598,6 +51045,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47624,6 +51072,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47650,6 +51099,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47676,6 +51126,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47702,6 +51153,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47728,6 +51180,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47754,6 +51207,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47780,6 +51234,61 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47806,6 +51315,61 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47832,6 +51396,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47858,58 +51423,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_5</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>TrustedSitesZoneWRONG1</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_5</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>TrustedSitesZoneWRONG2</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_5</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -47956,6 +51470,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>Kerberos.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Kerberos~AT~System~kerberos</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ForestSearch</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -47982,6 +51497,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>Kerberos.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Kerberos~AT~System~kerberos</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnableCbacAndArmor</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48008,6 +51524,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>Kerberos.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Kerberos~AT~System~kerberos</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ClientRequireFast</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48034,6 +51551,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>Kerberos.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Kerberos~AT~System~kerberos</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ValidateKDC</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48060,6 +51578,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             <MSFT:ADMXBacked>Kerberos.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Kerberos~AT~System~kerberos</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>MaxTokenSize</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -48103,6 +51622,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48126,6 +51646,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -48156,9 +51677,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </AccessType>
             <Description>This policy setting prevents users from adding new Microsoft accounts on this computer.
 
-If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
 
-If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
+If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
 
 If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.</Description>
             <DefaultValue>0</DefaultValue>
@@ -48175,6 +51696,7 @@ If you disable or do not configure this policy (recommended), users will be able
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48206,7 +51728,8 @@ Default: Disabled.</Description>
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
-            <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48233,7 +51756,8 @@ Note: If the Guest account is disabled and the security option Network Access: S
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
-            <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48272,6 +51796,7 @@ It is possible for applications that use remote interactive logons to bypass thi
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48285,7 +51810,7 @@ It is possible for applications that use remote interactive logons to bypass thi
 This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
 
 Default: Administrator.</Description>
-            <DefaultValue></DefaultValue>
+            <DefaultValue>Administrator</DefaultValue>
             <DFFormat>
               <chr/>
             </DFFormat>
@@ -48299,6 +51824,7 @@ Default: Administrator.</Description>
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48312,7 +51838,7 @@ Default: Administrator.</Description>
 This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
 
 Default: Guest.</Description>
-            <DefaultValue></DefaultValue>
+            <DefaultValue>Guest</DefaultValue>
             <DFFormat>
               <chr/>
             </DFFormat>
@@ -48326,6 +51852,131 @@ Default: Guest.</Description>
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Devices_AllowedToFormatAndEjectRemovableMedia</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Devices: Allowed to format and eject removable media
+
+This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
+
+Administrators
+Administrators and Interactive Users
+
+Default: This policy is not defined and only Administrators have this ability.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Devices_AllowUndockWithoutHavingToLogon</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Devices: Allow undock without having to log on
+This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
+Default: Enabled.
+
+Caution
+Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Devices: Prevent users from installing printer drivers when connecting to shared printers
+
+For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
+
+Default on servers: Enabled.
+Default on workstations: Disabled
+
+Notes
+
+This setting does not affect the ability to add a local printer.
+This setting does not affect Administrators.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Devices: Restrict CD-ROM access to locally logged-on user only
+
+This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.
+
+If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.
+
+Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48352,10 +52003,11 @@ Do not display user information (3)</Description>
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>Interactivelogon_DoNotDisplayLastSignedIn</NodeName>
+          <NodeName>InteractiveLogon_DoNotDisplayLastSignedIn</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -48381,10 +52033,11 @@ Default: Disabled.</Description>
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>Interactivelogon_DoNotDisplayUsernameAtSignIn</NodeName>
+          <NodeName>InteractiveLogon_DoNotDisplayUsernameAtSignIn</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -48396,7 +52049,7 @@ If this policy is enabled, the username will not be shown.
 If this policy is disabled, the username will be shown.
 
 Default: Disabled.</Description>
-            <DefaultValue>0</DefaultValue>
+            <DefaultValue>1</DefaultValue>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -48410,10 +52063,11 @@ Default: Disabled.</Description>
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>Interactivelogon_DoNotRequireCTRLALTDEL</NodeName>
+          <NodeName>InteractiveLogon_DoNotRequireCTRLALTDEL</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -48442,6 +52096,7 @@ Default on stand-alone computers: Enabled.</Description>
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48468,6 +52123,8 @@ Default: not enforced.</Description>
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48497,6 +52154,8 @@ Default: No message.</Description>
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>0xF000</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -48524,6 +52183,7 @@ Default: No message.</Description>
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48553,6 +52213,7 @@ Default: Disabled.</Description>
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48582,6 +52243,7 @@ Default: Enabled.</Description>
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48611,6 +52273,7 @@ This policy is supported on at least Windows Server 2016.</Description>
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48636,6 +52299,7 @@ This policy will be turned off by default on domain joined machines. This would
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48663,6 +52327,40 @@ Default: This policy is not defined and automatic administrative logon is not al
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Shutdown: Allow system to be shut down without having to log on
+
+This security setting determines whether a computer can be shut down without having to log on to Windows.
+
+When this policy is enabled, the Shut Down command is available on the Windows logon screen.
+
+When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
+
+Default on workstations: Enabled.
+Default on servers: Disabled.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48694,6 +52392,7 @@ Default: Disabled.</Description>
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48706,10 +52405,10 @@ Default: Disabled.</Description>
 
 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
 
-• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
 
-• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.</Description>
-            <DefaultValue>1</DefaultValue>
+• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.</Description>
+            <DefaultValue>0</DefaultValue>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -48723,6 +52422,7 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48737,18 +52437,18 @@ This policy setting controls the behavior of the elevation prompt for administra
 
 The options are:
 
-• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
 
-• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
 
-• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
 
-• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
 
-• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
 
-• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.</Description>
-            <DefaultValue>0</DefaultValue>
+• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.</Description>
+            <DefaultValue>5</DefaultValue>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -48762,6 +52462,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48775,12 +52476,12 @@ This policy setting controls the behavior of the elevation prompt for standard u
 
 The options are:
 
-• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
 
-• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
 
-• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.</Description>
-            <DefaultValue>0</DefaultValue>
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.</Description>
+            <DefaultValue>3</DefaultValue>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -48794,6 +52495,39 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>User Account Control: Detect application installations and prompt for elevation
+
+This policy setting controls the behavior of application installation detection for the computer.
+
+The options are:
+
+Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48808,77 +52542,9 @@ This policy setting enforces public key infrastructure (PKI) signature checks fo
 
 The options are:
 
-• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
 
-• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.</Description>
-            <DefaultValue>1</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description>User Account Control: Only elevate UIAccess applications that are installed in secure locations
-
-This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
-
-- …\Program Files\, including subfolders
-- …\Windows\system32\
-- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
-
-Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
-
-The options are:
-
-• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
-
-• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.</Description>
-            <DefaultValue>1</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>UserAccountControl_RunAllAdministratorsInAdminApprovalMode</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description>User Account Control: Turn on Admin Approval Mode
-
-This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
-
-The options are:
-
-• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
-
-• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
+• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.</Description>
             <DefaultValue>0</DefaultValue>
             <DFFormat>
               <int/>
@@ -48893,6 +52559,77 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+
+- …\Program Files\, including subfolders
+- …\Windows\system32\
+- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+
+Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+The options are:
+
+• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+
+• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_RunAllAdministratorsInAdminApprovalMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>User Account Control: Turn on Admin Approval Mode
+
+This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
+
+• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48907,9 +52644,9 @@ This policy setting controls whether the elevation request prompt is displayed o
 
 The options are:
 
-• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
 
-• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.</Description>
+• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.</Description>
             <DefaultValue>1</DefaultValue>
             <DFFormat>
               <int/>
@@ -48924,6 +52661,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48938,10 +52676,10 @@ This policy setting controls the behavior of Admin Approval Mode for the built-i
 
 The options are:
 
-• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
+• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
 
-• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.</Description>
-            <DefaultValue>1</DefaultValue>
+• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.</Description>
+            <DefaultValue>0</DefaultValue>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -48955,6 +52693,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -48969,9 +52708,9 @@ This policy setting controls whether application write failures are redirected t
 
 The options are:
 
-• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
 
-• Disabled: Applications that write data to protected locations fail.</Description>
+• Disabled: Applications that write data to protected locations fail.</Description>
             <DefaultValue>1</DefaultValue>
             <DFFormat>
               <int/>
@@ -48986,6 +52725,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -49028,6 +52768,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -49071,6 +52812,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -49113,6 +52855,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49135,6 +52878,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -49178,6 +52922,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49201,6 +52946,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49224,6 +52970,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -49266,6 +53013,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49288,6 +53036,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49310,6 +53059,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49332,6 +53082,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49354,6 +53105,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49376,6 +53128,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49398,6 +53151,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49420,6 +53174,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -49466,6 +53221,7 @@ The options are:
             <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AllowStandbyStatesAC_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49492,6 +53248,7 @@ The options are:
             <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerVideoSettingsCat</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VideoPowerDownTimeOutDC_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49518,6 +53275,7 @@ The options are:
             <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerVideoSettingsCat</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VideoPowerDownTimeOutAC_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49544,6 +53302,7 @@ The options are:
             <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DCHibernateTimeOut_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49570,6 +53329,7 @@ The options are:
             <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ACHibernateTimeOut_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49596,6 +53356,7 @@ The options are:
             <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DCPromptForPasswordOnResume_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49622,6 +53383,7 @@ The options are:
             <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ACPromptForPasswordOnResume_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49648,6 +53410,7 @@ The options are:
             <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DCStandbyTimeOut_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49674,6 +53437,7 @@ The options are:
             <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ACStandbyTimeOut_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -49720,6 +53484,7 @@ The options are:
             <MSFT:ADMXBacked>Printing.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Printing~AT~ControlPanel~CplPrinters</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>PointAndPrint_Restrictions_Win7</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49746,6 +53511,7 @@ The options are:
             <MSFT:ADMXBacked>Printing2.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Printing2~AT~Printers</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>PublishPrinters</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -49788,7 +53554,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
-            <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49812,6 +53578,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:StartOSVerison>10.0.10240</MSFT:StartOSVerison>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49834,6 +53601,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecureZeroHasNoLimits</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49856,6 +53624,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49878,6 +53647,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49900,6 +53670,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -49922,6 +53694,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -49944,6 +53718,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -49966,6 +53742,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -49988,6 +53765,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50010,6 +53789,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50032,6 +53813,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50054,6 +53837,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -50076,6 +53860,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50098,6 +53884,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50120,6 +53908,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50142,6 +53932,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -50164,6 +53955,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50186,6 +53979,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50208,94 +54003,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>LetAppsAccessCellularData</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description>This policy setting specifies whether Windows apps can access cellular data.</Description>
-            <DefaultValue>0</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>LetAppsAccessCellularData_ForceAllowTheseApps</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>LetAppsAccessCellularData_ForceDenyTheseApps</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>LetAppsAccessCellularData_UserInControlOfTheseApps</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data privacy setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50318,6 +54027,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -50340,6 +54050,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50362,6 +54074,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50384,6 +54098,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50406,6 +54122,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -50428,6 +54145,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50450,6 +54169,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50472,6 +54193,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50494,6 +54217,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -50516,6 +54240,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50538,6 +54264,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50560,6 +54288,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50582,6 +54312,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -50604,6 +54335,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50626,6 +54359,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50648,6 +54383,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50670,6 +54407,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -50692,6 +54430,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50714,6 +54454,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50736,6 +54478,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50758,6 +54502,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -50780,6 +54525,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50802,6 +54549,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50824,6 +54573,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50846,6 +54597,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -50868,6 +54620,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50890,6 +54644,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50912,6 +54668,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50934,6 +54692,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -50956,6 +54715,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -50978,6 +54739,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51000,6 +54763,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51022,6 +54787,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51044,6 +54810,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51066,6 +54834,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51088,6 +54858,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51110,6 +54882,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51132,6 +54905,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51154,6 +54929,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51176,6 +54953,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51198,6 +54977,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51220,6 +55000,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51242,6 +55024,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51264,6 +55048,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51286,6 +55072,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51308,6 +55095,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51330,6 +55119,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51352,6 +55143,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51374,6 +55167,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51396,6 +55190,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51418,6 +55214,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51440,6 +55238,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51448,7 +55248,7 @@ The options are:
             <AccessType>
               <Get />
             </AccessType>
-            <Description>This policy setting specifies whether Windows apps can sync with devices.</Description>
+            <Description>This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.</Description>
             <DefaultValue>0</DefaultValue>
             <DFFormat>
               <int/>
@@ -51462,6 +55262,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51470,7 +55271,7 @@ The options are:
             <AccessType>
               <Get />
             </AccessType>
-            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
             <DFFormat>
               <chr/>
@@ -51484,6 +55285,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51492,7 +55295,7 @@ The options are:
             <AccessType>
               <Get />
             </AccessType>
-            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
             <DFFormat>
               <chr/>
@@ -51506,6 +55309,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51514,7 +55319,7 @@ The options are:
             <AccessType>
               <Get />
             </AccessType>
-            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
             <DFFormat>
               <chr/>
@@ -51528,6 +55333,8 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+            <MSFT:SubStringSeparatorChar>;</MSFT:SubStringSeparatorChar>
           </DFProperties>
         </Node>
         <Node>
@@ -51550,6 +55357,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -51596,6 +55404,7 @@ The options are:
             <MSFT:ADMXBacked>remoteassistance.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>RemoteAssistance~AT~System~RemoteAssist</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RA_Options</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51622,6 +55431,7 @@ The options are:
             <MSFT:ADMXBacked>remoteassistance.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>RemoteAssistance~AT~System~RemoteAssist</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RA_Logging</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51648,6 +55458,7 @@ The options are:
             <MSFT:ADMXBacked>remoteassistance.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>RemoteAssistance~AT~System~RemoteAssist</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RA_Solicit</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51674,6 +55485,7 @@ The options are:
             <MSFT:ADMXBacked>remoteassistance.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>RemoteAssistance~AT~System~RemoteAssist</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RA_Unsolicit</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -51720,6 +55532,7 @@ The options are:
             <MSFT:ADMXBacked>terminalserver.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_CONNECTIONS</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TS_DISABLE_CONNECTIONS</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51746,6 +55559,7 @@ The options are:
             <MSFT:ADMXBacked>terminalserver.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TS_ENCRYPTION_POLICY</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51772,6 +55586,7 @@ The options are:
             <MSFT:ADMXBacked>terminalserver.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_REDIRECTION</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TS_CLIENT_DRIVE_M</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51798,6 +55613,7 @@ The options are:
             <MSFT:ADMXBacked>terminalserver.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_CLIENT</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TS_CLIENT_DISABLE_PASSWORD_SAVING_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51824,6 +55640,7 @@ The options are:
             <MSFT:ADMXBacked>terminalserver.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TS_PASSWORD</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51850,6 +55667,7 @@ The options are:
             <MSFT:ADMXBacked>terminalserver.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TS_RPC_ENCRYPTION</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -51896,6 +55714,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AllowBasic_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51922,6 +55741,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AllowBasic_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51946,8 +55766,9 @@ The options are:
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>AllowCredSSP_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRMClient</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>AllowCredSSP_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -51973,7 +55794,8 @@ The options are:
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>AllowCredSSP_2</MSFT:ADMXPolicyName>
+            <MSFT:ADMXPolicyName>AllowCredSSP_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52000,6 +55822,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AllowAutoConfig</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52026,6 +55849,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AllowUnencrypted_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52052,6 +55876,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AllowUnencrypted_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52078,6 +55903,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisallowDigest</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52102,8 +55928,9 @@ The options are:
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>DisallowNegotiate_1</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisallowNegotiate_2</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52128,8 +55955,9 @@ The options are:
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>DisallowNegotiate_2</MSFT:ADMXPolicyName>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisallowNegotiate_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52156,6 +55984,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableRunAs</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52182,6 +56011,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>CBTHardeningLevel_1</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52208,6 +56038,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TrustedHosts</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52234,6 +56065,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>HttpCompatibilityListener</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52260,6 +56092,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>HttpsCompatibilityListener</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -52306,6 +56139,7 @@ The options are:
             <MSFT:ADMXBacked>rpc.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>RPC~AT~System~Rpc</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RpcRestrictRemoteClients</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52332,6 +56166,7 @@ The options are:
             <MSFT:ADMXBacked>rpc.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>RPC~AT~System~Rpc</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RpcEnableAuthEpResolution</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -52378,6 +56213,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AllowRemoteShellAccess</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52404,6 +56240,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>MaxConcurrentUsers</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52430,6 +56267,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IdleTimeout</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52456,6 +56294,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>MaxMemoryPerShellMB</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52482,6 +56321,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>MaxProcessesPerShell</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52508,6 +56348,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>MaxShellsPerUser</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52534,6 +56375,7 @@ The options are:
             <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ShellTimeOut</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -52556,6 +56398,29 @@ The options are:
             <DDFName></DDFName>
           </DFType>
         </DFProperties>
+        <Node>
+          <NodeName>AllowCloudSearch</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>2</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowIndexingEncryptedStoresOrItems</NodeName>
           <DFProperties>
@@ -52576,6 +56441,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52598,6 +56464,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52620,6 +56487,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52642,6 +56510,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52664,6 +56533,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52686,6 +56556,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52708,6 +56579,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52730,6 +56602,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52752,6 +56625,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52774,6 +56648,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52797,6 +56672,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -52839,6 +56715,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52862,6 +56739,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52884,6 +56762,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52907,6 +56786,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52930,6 +56810,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52952,6 +56833,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52974,6 +56856,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -52996,6 +56879,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53018,6 +56902,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -53061,6 +56946,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53083,6 +56969,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53105,6 +56992,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53127,6 +57015,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53150,6 +57039,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53173,6 +57063,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53196,6 +57087,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53219,6 +57111,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53241,6 +57134,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53264,6 +57158,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53286,6 +57181,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53308,6 +57204,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -53351,6 +57248,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53374,6 +57272,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53397,6 +57296,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -53439,6 +57339,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -53482,6 +57383,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53505,6 +57407,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53528,6 +57431,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53551,6 +57455,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53574,6 +57479,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53597,6 +57503,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53620,6 +57527,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53643,6 +57551,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53666,6 +57575,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53689,6 +57599,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53712,6 +57623,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53735,6 +57647,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53757,6 +57670,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53780,6 +57694,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53802,6 +57717,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53824,6 +57740,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53847,6 +57764,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53869,6 +57787,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53892,6 +57811,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53915,6 +57835,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53937,6 +57858,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53959,6 +57881,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -53981,6 +57904,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54003,6 +57927,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54025,6 +57950,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54047,6 +57973,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54070,6 +57997,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54093,6 +58021,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54116,6 +58045,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -54138,6 +58068,30 @@ The options are:
             <DDFName></DDFName>
           </DFType>
         </DFProperties>
+        <Node>
+          <NodeName>AllowDiskHealthModelUpdates</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>EnhancedStorageDevices</NodeName>
           <DFProperties>
@@ -54162,6 +58116,7 @@ The options are:
             <MSFT:ADMXBacked>enhancedstorage.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>EnhancedStorage~AT~System~EnStorDeviceAccess</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TCGSecurityActivationDisabled</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -54204,6 +58159,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54226,6 +58182,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54248,6 +58205,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54270,6 +58228,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54292,6 +58251,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54314,6 +58274,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54336,6 +58297,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54358,6 +58320,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54384,6 +58347,7 @@ The options are:
             <MSFT:ADMXBacked>earlylauncham.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>EarlyLaunchAM~AT~System~ELAMCategory</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>POL_DriverLoadPolicy_Name</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54392,7 +58356,7 @@ The options are:
             <AccessType>
               <Get />
             </AccessType>
-            <Description>This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.</Description>
+            <Description>This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.</Description>
             <DefaultValue>0</DefaultValue>
             <DFFormat>
               <int/>
@@ -54406,6 +58370,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54432,6 +58397,30 @@ The options are:
             <MSFT:ADMXBacked>systemrestore.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>SystemRestore~AT~System~SR</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SR_DisableSR</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>FeedbackHubAlwaysSaveDiagnosticsLocally</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54454,6 +58443,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -54497,6 +58487,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54520,6 +58511,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54543,6 +58535,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54566,6 +58559,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54589,6 +58583,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54612,6 +58607,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54635,6 +58631,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54657,6 +58654,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54680,6 +58678,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54702,6 +58701,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54725,6 +58725,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54748,6 +58749,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -54791,6 +58793,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -54833,6 +58836,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54855,6 +58859,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54877,6 +58882,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54899,6 +58905,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54921,6 +58928,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54944,6 +58952,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54966,6 +58975,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -54988,6 +58998,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55010,6 +59021,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55032,6 +59044,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55054,6 +59067,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55076,6 +59090,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55098,6 +59113,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55120,6 +59136,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55142,6 +59159,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55164,6 +59182,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55186,6 +59205,30 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableDualScan</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Do not allow update deferral policies to cause scans against Windows Update</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55208,6 +59251,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55230,6 +59274,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55252,6 +59297,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55274,6 +59320,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55296,6 +59343,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55318,6 +59366,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55340,10 +59389,11 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>ManageBuildPreview</NodeName>
+          <NodeName>ManagePreviewBuilds</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -55362,6 +59412,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55384,6 +59435,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55406,6 +59458,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55428,6 +59481,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55450,6 +59504,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55472,6 +59527,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55494,6 +59550,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55516,6 +59573,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55538,6 +59596,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55560,6 +59619,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55582,6 +59642,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55604,6 +59665,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55626,6 +59688,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55648,6 +59711,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55670,6 +59734,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55692,6 +59757,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55714,6 +59780,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55736,6 +59803,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55758,6 +59826,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55780,6 +59849,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55802,6 +59872,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55825,6 +59896,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -55867,6 +59939,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55889,6 +59962,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55911,6 +59985,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55933,6 +60008,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55955,6 +60031,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -55977,6 +60054,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecureZeroHasNoLimits</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -56020,6 +60098,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56043,6 +60122,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56066,6 +60146,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56089,6 +60170,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56112,6 +60194,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56135,6 +60218,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56158,6 +60242,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56181,6 +60266,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56204,6 +60290,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56227,6 +60314,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56250,6 +60338,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56273,6 +60362,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56296,6 +60386,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56319,6 +60410,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -56362,6 +60454,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56385,6 +60478,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -56431,6 +60525,7 @@ The options are:
             <MSFT:ADMXBacked>logon.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Logon~AT~System~Logon</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableLockScreenAppNotifications</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56457,6 +60552,7 @@ The options are:
             <MSFT:ADMXBacked>logon.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Logon~AT~System~Logon</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DontDisplayNetworkSelectionUI</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56479,6 +60575,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
@@ -56521,6 +60618,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56543,6 +60641,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56567,6 +60666,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56591,6 +60691,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56616,6 +60717,7 @@ The options are:
               <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56640,6 +60742,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56662,6 +60765,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -56686,6 +60790,7 @@ The options are:
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
       </Node>
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index e7cb76d8bc..3654fa873f 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/28/2017
 ---
 
 # SurfaceHub CSP
@@ -127,7 +127,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
 
 <p style="margin-left: 20px">The data type is char.
 
-<a href="" id="deviceaccount-passwordrotationperiod"></a>**DeviceAccount/PasswordRotationPeriod**  
+<a href="" id="deviceaccount-passwordrotationenabled"></a>**DeviceAccount/PasswordRotationEnabled**  
 <p style="margin-left: 20px">Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
 
 <p style="margin-left: 20px">Valid values:
diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md
index 503965ca62..6447431681 100644
--- a/windows/client-management/mdm/surfacehub-ddf-file.md
+++ b/windows/client-management/mdm/surfacehub-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/28/2017
 ---
 
 # SurfaceHub DDF file
@@ -281,7 +281,7 @@ The XML below is the current version for this CSP.
                 </DFProperties>
             </Node>
             <Node>
-                <NodeName>PasswordRotationPeriod</NodeName>
+                <NodeName>PasswordRotationEnabled</NodeName>
                 <DFProperties>
                     <AccessType>
                         <Get />
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index d905d434f9..a1cd701480 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -45,7 +45,7 @@ In a domain controller/Group Policy ecosystem, Group Policies are automatically
 
 An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC’s Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
 
-Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\<area>\<policy>`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
+Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\<area>\<policy>`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#admx-backed-policies).
 
 ## <a href="" id="admx-files-and-the-group-policy-editor"></a>ADMX files and the Group Policy Editor
 
@@ -97,7 +97,7 @@ Appv.admx file:
 
 ## <a href="" id="admx-backed-policy-examples"></a>ADMX-backed policy examples
 
-The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use the [Coder’s Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii) online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
 
 ### <a href="" id="enabling-a-policy"></a>Enabling a policy
@@ -119,7 +119,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
 **Request SyncML**
 ```XML
 <?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -169,7 +169,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
 **Request SyncML**
 ```XML
 <?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -209,7 +209,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
 **Request SyncML**
 ```
 <?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Delete>
       <CmdID>1</CmdID>
@@ -292,7 +292,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit
 
 ```XML
 <?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>$CmdId$</CmdID>
@@ -333,7 +333,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and
 
 ```XML
 <?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -377,7 +377,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 #### Corresponding SyncML:
 
 ```XML
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -409,7 +409,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 #### Corresponding SyncML:
 
 ```XML
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -466,7 +466,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 #### Corresponding SyncML:
 
 ```XML
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -503,7 +503,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 #### Corresponding SyncML:
 
 ```XML
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -552,7 +552,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 
 ```XML
 <?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index c982bb06b0..05e8da9fa3 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -7,11 +7,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/07/2017
 ---
 
 # VPNv2 CSP
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device.
 
@@ -45,8 +47,6 @@ Supported operations include Get, Add, and Delete.
 
 > **Note**  If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
 
- 
-
 <a href="" id="vpnv2-profilename-apptriggerlist"></a>**VPNv2/***ProfileName***/AppTriggerList**  
 Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect.
 
@@ -91,6 +91,11 @@ The subnet prefix size part of the destination prefix for the route entry. This,
 
 Value type is int. Supported operations include Get, Add, Replace, and Delete.
 
+<a href="" id="vpnv2-profilename-routelist-routerowid-metric"></a>**VPNv2/***ProfileName***/RouteList/***routeRowId***/Metric**  
+Added in Windows 10, version 1607. The route's metric.
+
+Value type is int. Supported operations include Get, Add, Replace, and Delete.
+
 <a href="" id="vpnv2-profilename-routelist-routerowid-exclusionroute"></a>**VPNv2/***ProfileName***/RouteList/***routeRowId***/ExclusionRoute**  
 Added in Windows 10, version 1607. A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. Valid values:
 
@@ -261,7 +266,7 @@ Valid values:
 
 Value type is bool. Supported operations include Get, Add, Replace, and Delete.
 
-<a href="" id="vpnv2-profilename-lockdown"></a>**VPNv2/***ProfileName***/LockDown**  
+<a href="" id="vpnv2-profilename-lockdown"></a>**VPNv2/***ProfileName***/LockDown**  (./Device only profile)  
 Lockdown profile.
 
 Valid values:
@@ -280,6 +285,24 @@ A Lockdown profile must be deleted before you can add, remove, or connect other
 
 Value type is bool. Supported operations include Get, Add, Replace, and Delete.
 
+<a href="" id="vpnv2-profilename-devicetunnel"></a>**VPNv2/***ProfileName***/DeviceTunnel**  (./Device only profile)  
+Device tunnel profile.
+
+Valid values:
+
+-   False (default) - this is not a device tunnel profile.
+-   True - this is a device tunnel profile.
+
+When the DeviceTunnel profile is turned on, it does the following things:
+
+-   First, it automatically becomes an "always on" profile.
+-   Second, it does not require the presence or logging in of any user to the machine in order for it to connect.
+-   Third, no other device tunnel profile maybe be present on the same machine.
+
+A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
+
+Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+
 <a href="" id="vpnv2-profilename-dnssuffix"></a>**VPNv2/***ProfileName***/DnsSuffix**  
 Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
 
@@ -493,6 +516,8 @@ The following list contains the valid values:
 -   AES128
 -   AES192
 -   AES256
+-   AES\_GCM_128
+-   AES\_GCM_256
 
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
@@ -542,6 +567,11 @@ Added in Windows 10, version 1607. The preshared key used for an L2TP connectio
 
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
+<a href="" id="vpnv2-profilename-nativeprofile-disableclassbaseddefaultroute"></a>**VPNv2/***ProfileName***/NativeProfile/DisableClassBasedDefaultRoute**  
+Added in Windows 10, version 1607. Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8
+
+Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+
 ## Examples
 
 
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index f85acf61e2..1312ba1a63 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -7,11 +7,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/07/2017
 ---
 
 # VPNv2 DDF file
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 This topic shows the OMA DM device description framework (DDF) for the **VPNv2** configuration service provider.
 
@@ -20,7 +22,7 @@ You can download the DDF files from the links below:
 - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
 
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@@ -33,7 +35,7 @@ The XML below is the current version for this CSP.
     <VerDTD>1.2</VerDTD>
     <Node>
         <NodeName>VPNv2</NodeName>
-        <Path>./Vendor/MSFT</Path>
+        <Path>./Device/Vendor/MSFT</Path>
         <DFProperties>
             <AccessType>
                 <Get />
@@ -48,7 +50,7 @@ The XML below is the current version for this CSP.
                 <Permanent />
             </Scope>
             <DFType>
-				<MIME>com.microsoft/1.2/MDM/VPNv2</MIME>
+                <MIME>com.microsoft/1.3/MDM/VPNv2</MIME>
             </DFType>
         </DFProperties>
         <Node>
@@ -310,7 +312,7 @@ The XML below is the current version for this CSP.
                                 <Delete />
                                 <Replace />
                             </AccessType>
-                            <Description>                          
+                            <Description>
                               False = This Route will direct traffic over the VPN
                               True = This Route will direct traffic over the physical interface
                               By default, this value is false.
@@ -953,6 +955,43 @@ The XML below is the current version for this CSP.
                     </DFType>
                 </DFProperties>
             </Node>
+            <Node>
+                <NodeName>DeviceTunnel</NodeName>
+                <DFProperties>
+                    <AccessType>
+                        <Add />
+                        <Delete />
+                        <Get />
+                        <Replace />
+                    </AccessType>
+                    <Description>
+                        False = This is not a Device Tunnel profile and it is the default value.
+                        True = This is a Device Tunnel profile.
+
+                        If turned on a device tunnel profile does four things.
+                        First, it automatically becomes an always on profile.
+                        Second, it does not require the presence or logging in
+                        of any user to the machine in order for it to connect.
+                        Third, no other Device Tunnel profile maybe be present on the
+                        Same machine.
+
+                        A device tunnel profile must be deleted before another device tunnel
+                        profile can be added, removed, or connected.
+                    </Description>
+                    <DFFormat>
+                        <bool />
+                    </DFFormat>
+                    <Occurrence>
+                        <ZeroOrOne />
+                    </Occurrence>
+                    <Scope>
+                        <Dynamic />
+                    </Scope>
+                    <DFType>
+                        <MIME>text/plain</MIME>
+                    </DFType>
+                </DFProperties>
+            </Node>
             <Node>
                 <NodeName>DnsSuffix</NodeName>
                 <DFProperties>
@@ -1996,6 +2035,8 @@ The XML below is the current version for this CSP.
                       -- AES128
                       -- AES192
                       -- AES256
+                      -- AES_GCM_128
+                      -- AES_GCM_256
                     </Description>
                     <DFFormat>
                       <chr />
@@ -2180,7 +2221,7 @@ The XML below is the current version for this CSP.
                 <Permanent />
             </Scope>
             <DFType>
-                <DDFName></DDFName>
+                <MIME>com.microsoft/1.3/MDM/VPNv2</MIME>
             </DFType>
         </DFProperties>
         <Node>
@@ -4087,6 +4128,8 @@ The XML below is the current version for this CSP.
                       -- AES128
                       -- AES192
                       -- AES256
+                      -- AES_GCM_128
+                      -- AES_GCM_256
                     </Description>
                     <DFFormat>
                       <chr />
@@ -4255,14 +4298,4 @@ The XML below is the current version for this CSP.
         </Node>
     </Node>
 </MgmtTree>
-```
-
- 
-
- 
-
-
-
-
-
-
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index b4b671369b..665ae99cae 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -12,6 +12,9 @@ ms.date: 06/19/2017
 
 # WindowsAdvancedThreatProtection CSP
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
 
 The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
index 00afc29c8a..196883556d 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
@@ -12,6 +12,9 @@ ms.date: 06/19/2017
 
 # WindowsAdvancedThreatProtection DDF file
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 This topic shows the OMA DM device description framework (DDF) for the **WindowsAdvancedThreatProtection** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 
 You can download the DDF files from the links below:
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 06c0919533..0b67cbdc42 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # New policies for Windows 10
diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md
index ea6eb5cda2..7a13a7bc93 100644
--- a/windows/client-management/reset-a-windows-10-mobile-device.md
+++ b/windows/client-management/reset-a-windows-10-mobile-device.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Reset a Windows 10 Mobile device
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index 0d6a833f58..390d23a40e 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile, devices, security
-localizationpriority: high
+ms.localizationpriority: high
 author: AMeeus
 ---
 
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index f4a06d5d6a..8ccede5240 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -58,9 +58,65 @@
 ### [Provision PCs with common settings for initial deployment (desktop wizard)](provisioning-packages/provision-pcs-for-initial-deployment.md)
 ### [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)
 ### [Use a script to install a desktop app in provisioning packages](provisioning-packages/provisioning-script-to-install-app.md)
+### [Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md)
 ### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-packages/provisioning-powershell.md)
 ### [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md)
-### [Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md)
+### [Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md)
+#### [Accounts](wcd/wcd-accounts.md) 
+#### [ADMXIngestion](wcd/wcd-admxingestion.md) 
+#### [ApplicationManagement](wcd/wcd-applicationmanagement.md) 
+#### [AssignedAccess](wcd/wcd-assignedaccess.md) 
+#### [AutomaticTime](wcd/wcd-automatictime.md) 
+#### [Browser](wcd/wcd-browser.md) 
+#### [CallAndMessagingEnhancement](wcd/wcd-callandmessagingenhancement.md) 
+#### [Cellular](wcd/wcd-cellular.md)     
+#### [Certificates](wcd/wcd-certificates.md) 
+#### [CleanPC](wcd/wcd-cleanpc.md)     
+#### [Connections](wcd/wcd-connections.md) 
+#### [ConnectivityProfiles](wcd/wcd-connectivityprofiles.md) 
+#### [CountryAndRegion](wcd/wcd-countryandregion.md) 
+#### [DesktopBackgroundAndColors](wcd/wcd-desktopbackgroundandcolors.md)     
+#### [DeveloperSetup](wcd/wcd-developersetup.md)     
+#### [DeviceFormFactor](wcd/wcd-deviceformfactor.md)  
+#### [DeviceManagement](wcd/wcd-devicemanagement.md)  
+#### [DMClient](wcd/wcd-dmclient.md) 
+#### [EditionUpgrade](wcd/wcd-editionupgrade.md) 
+#### [EmbeddedLockdownProfiles](wcd/wcd-embeddedlockdownprofiles.md)     
+#### [FirewallConfiguration](wcd/wcd-firewallconfiguration.md)     
+#### [FirstExperience](wcd/wcd-firstexperience.md)     
+#### [Folders](wcd/wcd-folders.md)  
+#### [InitialSetup](wcd/wcd-initialsetup.md)     
+#### [InternetExplorer](wcd/wcd-internetexplorer.md)     
+#### [Licensing](wcd/wcd-licensing.md)     
+#### [Maps](wcd/wcd-maps.md)  
+#### [Messaging](wcd/wcd-messaging.md)     
+#### [ModemConfigurations](wcd/wcd-modemconfigurations.md)     
+#### [Multivariant](wcd/wcd-multivariant.md)     
+#### [NetworkProxy](wcd/wcd-networkproxy.md)     
+#### [NetworkQOSPolicy](wcd/wcd-networkqospolicy.md)
+#### [NFC](wcd/wcd-nfc.md)     
+#### [OOBE](wcd/wcd-oobe.md)    
+#### [OtherAssets](wcd/wcd-otherassets.md)     
+#### [Personalization](wcd/wcd-personalization.md)     
+#### [Policies](wcd/wcd-policies.md) 
+#### [ProvisioningCommands](wcd/wcd-provisioningcommands.md)     
+#### [SharedPC](wcd/wcd-sharedpc.md)     
+#### [Shell](wcd/wcd-shell.md)     
+#### [SMISettings](wcd/wcd-smisettings.md)     
+#### [Start](wcd/wcd-start.md)    
+#### [StartupApp](wcd/wcd-startupapp.md)     
+#### [StartupBackgroundTasks](wcd/wcd-startupbackgroundtasks.md) 
+#### [SurfaceHubManagement](wcd/wcd-surfacehubmanagement.md)    
+#### [TabletMode](wcd/wcd-tabletmode.md)  
+#### [TakeATest](wcd/wcd-takeatest.md)     
+#### [Theme](wcd/wcd-theme.md)     
+#### [UnifiedWriteFilter](wcd/wcd-unifiedwritefilter.md)     
+#### [UniversalAppInstall](wcd/wcd-universalappinstall.md) 
+#### [UniversalAppUninstall](wcd/wcd-universalappuninstall.md) 
+#### [WeakCharger](wcd/wcd-weakcharger.md)  
+#### [WindowsTeamSettings](wcd/wcd-windowsteamsettings.md)     
+#### [WLAN](wcd/wcd-wlan.md)     
+#### [Workplace](wcd/wcd-workplace.md)  
 ## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)
 ## [User Experience Virtualization (UE-V) for Windows](ue-v/uev-for-windows.md)
 ### [Get Started with UE-V](ue-v/uev-getting-started.md)
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
index 871ff7e560..cb11a4d0d9 100644
--- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
@@ -6,41 +6,32 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
-author: brianlic-msft
-ms.author: brianlic
+ms.localizationpriority: high
+author: eross-msft
+ms.author: lizross
 ---
 
 
 # Windows 10, version 1703 basic level Windows diagnostic events and fields
 
-
  **Applies to**
 
-- Windows 10, version 1703
+- Windows 10, version 1703 and later
 
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level also helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
 
-The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
-
-The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
-
-Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
-
-You can learn more about Windows functional and diagnostic data through these articles:
-
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. You can learn more about Windows functional and diagnostic data through these articles:
 
 - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
 - [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
 
-
-
+>[!Note]
+>Updated July 2017 to document new and modified events. We’ve added new fields to several Appraiser events to prepare for upgrades to the next release of Windows and we’ve added a brand-new event, Census.Speech, to collect basic details about speech settings and configuration.
 
 ## Common data extensions
 
 ### Common Data Extensions.App
 
- 
-
 The following fields are available:
 
 - **expId**  Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
@@ -51,8 +42,6 @@ The following fields are available:
 
 ### Common Data Extensions.CS
 
- 
-
 The following fields are available:
 
 - **sig**  A common schema signature that identifies new and modified event schemas.
@@ -60,8 +49,6 @@ The following fields are available:
 
 ### Common Data Extensions.CUET
 
- 
-
 The following fields are available:
 
 - **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
@@ -258,8 +245,23 @@ This event lists the types of objects and how many of each exist on the client d
 
 The following fields are available:
 
+- **DatasourceApplicationFile_RS3**	The total DecisionApplicationFile objects targeting the next release of Windows on this device. on this device.
+- **DatasourceDevicePnp_RS3**	The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS3**	The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoBlock_RS3**  The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS3**	The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3**	The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS3**	The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS3**	The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS3**	The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS3**	The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoBlock_RS3**	The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS3**	The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3**	The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_RS3**	The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS3**	The total DecisionSystemBios objects targeting the next release of Windows on this device.
 - **PCFP**  An ID for the system that is calculated by hashing hardware identifiers.
-- **InventoryApplicationFile**  The total InventoryApplicationFile objects that are present on this device.
+- **InventoryApplicationFile** The total InventoryApplicationFile objects that are present on this device.
 - **InventoryMediaCenter**  The total InventoryMediaCenter objects that are present on this device.
 - **InventoryLanguagePack**  The total InventoryLanguagePack objects that are present on this device.
 - **InventoryUplevelDriverPackage**  The total InventoryUplevelDriverPackage objects that are present on this device.
@@ -274,6 +276,7 @@ The following fields are available:
 - **SystemWim**  The total SystemWim objects that are present on this device
 - **SystemTouch**  The total SystemTouch objects that are present on this device.
 - **SystemWindowsActivationStatus**  The total SystemWindowsActivationStatus objects that are present on this device.
+- **Wmdrm_RS3**	The total Wmdrm objects targeting the next release of Windows on this device.
 
 
 ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureIdHashSha256
@@ -282,6 +285,21 @@ This event lists the types of objects and the hashed values of all the identifie
 
 The following fields are available:
 
+- **DatasourceApplicationFile_RS3**	The total DatasourceApplicationFile objects targeting the next release of Windows on this device.
+- **DatasourceDevicePnp_RS3**	The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS3**	The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoBlock_RS3**	The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS3**	The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3**	The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS3**	The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS3**	The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS3**	The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS3**	The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoBlock_RS3**	The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS3**	The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3**	The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_RS3**	The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS3**	The total DecisionSystemBios objects targeting the next release of Windows on this device.
 - **PCFP**  An ID for the system that is calculated by hashing hardware identifiers.
 - **InventoryApplicationFile**  The SHA256 hash of InventoryApplicationFile objects that are present on this device.
 - **InventoryMediaCenter**  The SHA256 hash of InventoryMediaCenter objects that are present on this device.
@@ -298,6 +316,7 @@ The following fields are available:
 - **SystemWim**  The SHA256 hash of SystemWim objects that are present on this device.
 - **SystemTouch**  The SHA256 hash of SystemTouch objects that are present on this device.
 - **SystemWindowsActivationStatus**  The SHA256 hash of SystemWindowsActivationStatus objects that are present on this device.
+- **Wmdrm_RS3**	The total Wmdrm objects targeting the next release of Windows on this device.
 
 
 ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
@@ -1617,15 +1636,15 @@ This event is used to gather basic speech settings on the device.
 
 The following fields are available:
 
-- **SpeechServicesEnabled**  Windows setting that represents whether a user is opted-in for speech services on the device.
-- **KWSEnabled**  Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
-- **SpeakerIdEnabled**  Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
-- **AboveLockEnabled**  Cortana setting that represents if Cortana can be invoked when the device is locked.
-- **GPAllowInputPersonalization**  Indicates if a Group Policy setting has enabled speech functionalities.
-- **HolographicSpeechInputDisabled**  Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
-- **HolographicSpeechInputDisabledRemote**  Indicates if a remote policy has disabled speech functionalities for the HMD devices.
-- **MDMAllowInputPersonalization**  Indicates if an MDM policy has enabled speech functionalities.
-- **RemotelyManaged**  Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
+- **AboveLockEnabled**	Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization**	Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled**	Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote**	Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **KWSEnabled**	Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
+- **MDMAllowInputPersonalization**	Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged**	Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
+- **SpeakerIdEnabled**	Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **SpeechServicesEnabled**	Windows setting that represents whether a user is opted-in for speech services on the device.
 
 
 ### Census.Storage
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 789b57b03a..76c39cc45d 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerms
 ---
 
@@ -14,6 +14,21 @@ author: jdeckerms
 
 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## August 2017
+
+New or changed topic | Description
+--- | ---
+ [Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) | New section; reference content from [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx) is being relocated here from MSDN. 
+
+## July 2017
+| New or changed topic | Description |
+| --- | --- |
+| [Add image for secondary tiles](start-secondary-tiles.md) | Added XML example for Edge secondary tiles and **ImportEdgeAssets** |
+| [Customize and export Start layout](customize-and-export-start-layout.md) | Added explanation for tile behavior when the app is not installed |
+| [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access |
+|[Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)|Updated several Appraiser events and added Census.Speech. |
+| [Manage connections from Windows operating system components to Microsoft-services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Updated Date & Time and Windows spotlight sections. |
+
 ## June 2017
 
 | New or changed topic | Description |
@@ -29,6 +44,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
 | [Configure cellular settings for tablets and PCs](provisioning-apn.md) | New |
 | [ Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added MDM policies for privacy settings |
 
+
 ## April 2017
 
 | New or changed topic | Description |
@@ -36,6 +52,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
 | [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Added instructions for using WMI bridge to configure shared PC |
 
 
+
 ## RELEASE: Windows 10, version 1703
 
 The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:
diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md
index 0cdcbc76fc..36cb3a412a 100644
--- a/windows/configuration/changes-to-start-policies-in-windows-10.md
+++ b/windows/configuration/changes-to-start-policies-in-windows-10.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Changes to Group Policy settings for Windows 10 Start
@@ -55,7 +55,7 @@ These policy settings are available in **Administrative Templates\\Start Menu an
 </tr>
 <tr class="even">
 <td align="left">Prevent users from customizing their Start Screen</td>
-<td align="left"><p>Use this policy in conjunction with [CopyProfile](https://go.microsoft.com/fwlink/p/?LinkId=623229) or other methods for configuring the layout of Start to prevent users from changing it</p></td>
+<td align="left"><p>Use this policy in conjunction with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it</p></td>
 </tr>
 <tr class="odd">
 <td align="left">Prevent users from uninstalling applications from Start</td>
diff --git a/windows/configuration/configure-devices-without-mdm.md b/windows/configuration/configure-devices-without-mdm.md
index 93a12aba20..935f14bc0d 100644
--- a/windows/configuration/configure-devices-without-mdm.md
+++ b/windows/configuration/configure-devices-without-mdm.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile, devices
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Configure devices without MDM
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 7b332830bc..3e9fff0d5c 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -6,7 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 # Configure Windows 10 taskbar
 
diff --git a/windows/configuration/configure-windows-telemetry-in-your-organization.md b/windows/configuration/configure-windows-telemetry-in-your-organization.md
index 10b155e2d8..1aec75a995 100644
--- a/windows/configuration/configure-windows-telemetry-in-your-organization.md
+++ b/windows/configuration/configure-windows-telemetry-in-your-organization.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index a1011e2397..7630406f0d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index fc46c6b7ee..61bf864982 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Send feedback about Cortana at work back to Microsoft
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
index b9b9f1f63c..bffa8f1644 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up and test Cortana with Office 365 in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index c6a9a191ca..2a3d087da8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Cortana integration in your business or enterprise
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 06a4b3cf08..5dd38b8ec8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index 26579a4c9c..1eef8c58d2 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up and test Cortana for Power BI in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index 54b801cabc..3d96f92396 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index af1b1610ae..d51d5c4c88 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 2 - Perform a quick search with Cortana at work
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index 540ea0bb4b..b04d11d615 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 3 - Set a reminder for a specific location using Cortana at work
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index cf313aa77c..df57f9ca9d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 4 - Use Cortana at work to find your upcoming meetings
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index 5df8bb1b2e..8306c2143a 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 5 - Use Cortana to send email to a co-worker
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index f369b838fb..1274f67445 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
index 7fff5ef044..051d96937f 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
index fa88b44c54..070192c8e0 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Testing scenarios using Cortana in your business or organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index def19d5939..0738115be9 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up and test custom voice commands in Cortana for your organization
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 8a06655003..bad5148d3a 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Customize and export Start layout
@@ -40,7 +40,9 @@ You can deploy the resulting .xml file to devices using one of the following met
 
 -   [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 
-## <a href="" id="bkmkcustomizestartscreen"></a>Customize the Start screen on your test computer
+
+<span id="bkmkcustomizestartscreen" />
+## Customize the Start screen on your test computer
 
 
 To prepare a Start layout for export, you simply customize the Start layout on a test computer.
@@ -69,6 +71,11 @@ To prepare a Start layout for export, you simply customize the Start layout on a
     -   **Resize tiles**. To resize tiles, right-click the tile and then click **Resize.**
 
     -   **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group.
+    
+>[!IMPORTANT]
+>In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
+>
+>In earlier versions of Windows 10, no tile would be pinned.
 
 <span id="bmk-exportstartscreenlayout" />
 ## Export the Start layout
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 816c2dfba0..1313186ea4 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Customize Windows 10 Start and taskbar with Group Policy
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 3a731ffc48..544462e2ea 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Customize Windows 10 Start and taskbar with mobile device management (MDM)
@@ -16,16 +16,16 @@ localizationpriority: medium
 **Applies to**
 
 - Windows 10
-- Windows 10 Mobile
+
 
 >**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
 
-In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
 
 >[!NOTE]
 >Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
 
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-devices/mobile-lockdown-designer.md) for mobile.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions.
 
 >[!WARNING] 
 >When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
@@ -118,10 +118,9 @@ This example uses Microsoft Intune to configure an MDM policy that applies a cus
     | **Setting description**      | Provide a description that gives an overview of the setting and other relevant information to help you locate it. |
     | **Data type**                | **String**                                                                                                        |
     | **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/StartLayout**                                                            |
-    | **Value**                    | Paste the contents of the Start layout .xml file that you created.                                                              |
+    | **Value**                    | Paste the contents of the Start layout .xml file that you created.               |
 
      
-
 7.  Click **OK** to save the setting and return to the **Create Policy** page.
 
 8.  Click **Save Policy**.
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 2046f28cd5..c4a13cef3a 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Customize Windows 10 Start and taskbar with provisioning packages
@@ -16,16 +16,16 @@ localizationpriority: medium
 **Applies to**
 
 - Windows 10
-- Windows 10 Mobile
+
 
 >**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
 
-In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
 
 >[!IMPORTANT]
 >If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
 
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-devices/mobile-lockdown-designer.md) for mobile.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions.
 
 ## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
 
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index ec6199f1a5..963f69e6ae 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: jdecker
 ms.date: 06/29/2017
 ---
@@ -46,12 +46,11 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
 
 ## Guidelines for web browsers
 
-Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. 
+Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. Microsoft Edge is not supported for assigned access.
 
 If you use a web browser as your assigned access app, consider the following tips: 
 
 - You can download browsers that are optimized to be used as a kiosk from the Microsoft Store.
-- You can use Group Policy to block access to the file system (network shares, local drives, and local folders) from Internet Explorer’s web address bar. 
 - You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
    - [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/) 
    - [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx)
diff --git a/windows/configuration/images/admx-category.PNG b/windows/configuration/images/admx-category.PNG
new file mode 100644
index 0000000000..465dd53fe3
Binary files /dev/null and b/windows/configuration/images/admx-category.PNG differ
diff --git a/windows/configuration/images/admx-policy.PNG b/windows/configuration/images/admx-policy.PNG
new file mode 100644
index 0000000000..c3c7b9a088
Binary files /dev/null and b/windows/configuration/images/admx-policy.PNG differ
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index 1432e34058..df0e8e3a76 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerms
 ---
 
diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md
index 97daba286f..21d8d0d394 100644
--- a/windows/configuration/kiosk-shared-pc.md
+++ b/windows/configuration/kiosk-shared-pc.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: jdeckerms
 ---
 
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index fd04412683..445d25bf22 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: edu, security
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Lock down Windows 10 to specific apps
diff --git a/windows/configuration/lock-down-windows-10.md b/windows/configuration/lock-down-windows-10.md
index 3d2b718c3d..0bcecb6b1a 100644
--- a/windows/configuration/lock-down-windows-10.md
+++ b/windows/configuration/lock-down-windows-10.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Lock down Windows 10
diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md
index c7ee249a2d..1477240276 100644
--- a/windows/configuration/lockdown-features-windows-10.md
+++ b/windows/configuration/lockdown-features-windows-10.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Lockdown features from Windows Embedded 8.1 Industry
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 51841c4ad0..e5ebed0c80 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -6,10 +6,10 @@ keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ms.author: brianlic-msft
-ms.date: 06/13/2017
+ms.date: 07/28/2017
 ---
 
 # Manage connections from Windows operating system components to Microsoft services
@@ -81,7 +81,7 @@ See the following table for a summary of the management settings for Windows 10
 | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
-| [11. Microsoft Account](#bkmk-microsoft-account) | | |  ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
@@ -132,7 +132,7 @@ See the following table for a summary of the management settings for Windows Ser
 | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
-| [11. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | |
+| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | |
 | [17. Settings > Privacy](#bkmk-settingssection) | | | | |
@@ -296,7 +296,7 @@ After that, configure the following:
 -   Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Enable Windows NTP Server** &gt; **Windows Time Service** &gt; **Configure Windows NTP Client**
     
     > [!NOTE]  
-    > This is only available on Windows 10, version 1703 and later.
+    > This is only available on Windows 10, version 1703 and later. If you're using Windows 10, version 1607, the Group Policy setting is **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Windows Time Service** &gt; **Time Providers** &gt; **Enable Windows NTP Client**
 
     -or -
 
@@ -457,7 +457,7 @@ To turn off Live Tiles:
     
 -   Create a REG\_DWORD registry setting called **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one).
 
-You must also unpin all tiles that are pinned to Start.
+In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
 
 ### <a href="" id="bkmk-mailsync"></a>10. Mail synchronization
 
@@ -1261,7 +1261,7 @@ To turn off **Let apps read or send messages (text or MMS)**:
 
      -or-
 
--   Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two).
+-   Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two).
 
 To turn off **Choose apps that can read or send messages**:
 
@@ -1690,12 +1690,11 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
 
 - **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
 
+    > [!NOTE]  
+    > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
+
     -or-
 
--   Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
-
-	-and-
-
 -   Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
 
 If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md
index de1c017907..4485b5e7e7 100644
--- a/windows/configuration/manage-tips-and-suggestions.md
+++ b/windows/configuration/manage-tips-and-suggestions.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage Windows 10 and Microsoft Store tips, tricks, and suggestions
diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md
index 6f0d6a2526..d66b267355 100644
--- a/windows/configuration/manage-wifi-sense-in-enterprise.md
+++ b/windows/configuration/manage-wifi-sense-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: eross-msft
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Manage Wi-Fi Sense in your company
diff --git a/windows/configuration/mobile-devices/configure-mobile.md b/windows/configuration/mobile-devices/configure-mobile.md
index ecb327e4a5..6fe4753762 100644
--- a/windows/configuration/mobile-devices/configure-mobile.md
+++ b/windows/configuration/mobile-devices/configure-mobile.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerms
 ---
 
diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md
index 054f2423b3..13c5609760 100644
--- a/windows/configuration/mobile-devices/lockdown-xml.md
+++ b/windows/configuration/mobile-devices/lockdown-xml.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure Windows 10 Mobile using Lockdown XML
diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
index 4c7a24ae08..98d2c703e6 100644
--- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md
+++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: jdeckerms
 ---
 
diff --git a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
index a3076896bb..839f23d947 100644
--- a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
+++ b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Product IDs in Windows 10 Mobile
diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
index 07adaea24d..7da86c0ac6 100644
--- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md
+++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerms
 ---
 
diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md
index e9da325a36..1885282b41 100644
--- a/windows/configuration/mobile-devices/provisioning-nfc.md
+++ b/windows/configuration/mobile-devices/provisioning-nfc.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # NFC-based device provisioning
diff --git a/windows/configuration/mobile-devices/provisioning-package-splitter.md b/windows/configuration/mobile-devices/provisioning-package-splitter.md
index 3204fd85b1..1e44466908 100644
--- a/windows/configuration/mobile-devices/provisioning-package-splitter.md
+++ b/windows/configuration/mobile-devices/provisioning-package-splitter.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Barcode provisioning and  the package splitter tool
diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index 32ff70af9b..d5aadcad3e 100644
--- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
index 5f5c0e2193..1a2a59eb33 100644
--- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
+++ b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Settings and quick actions that can be locked down in Windows 10 Mobile
diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
index fb967c625a..f7d4204adb 100644
--- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md
+++ b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Start layout XML for mobile editions of Windows 10 (reference)
diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md
index f1aeed6ade..72b2e23caf 100644
--- a/windows/configuration/provisioning-apn.md
+++ b/windows/configuration/provisioning-apn.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure cellular settings for tablets and PCs
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 655266907f..b62bdf4c0b 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Introduction to configuration service providers (CSPs) for IT pros
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 8c55fb568e..859a33f7bd 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -7,7 +7,7 @@ ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Provision PCs with common settings for initial deployment (desktop wizard)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
index de91fcd4cb..932bc297e9 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
@@ -6,7 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Provision PCs with apps and certificates for initial deployment (advanced provisioning)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index 835fa8a371..e818979df8 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -6,7 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Provision PCs with apps 
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index 5ff8a5efe4..baa60ac6fd 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Apply a provisioning package
@@ -18,6 +18,9 @@ localizationpriority: high
 
 Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
 
+>[!NOTE]
+>Applying a provisioning package to a desktop device requires administrator privileges on the device.
+
 ## Desktop editions
 
 ### During initial setup, from a USB drive
diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md
index 1204c7c83d..5eda051a35 100644
--- a/windows/configuration/provisioning-packages/provisioning-command-line.md
+++ b/windows/configuration/provisioning-packages/provisioning-command-line.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows Configuration Designer command-line interface (reference)
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 6607c821d3..dc25ab7ceb 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create a provisioning package for Windows 10
diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
index e5acff9568..0596ad5024 100644
--- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md
+++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # How provisioning works in Windows 10
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index ba730bf0b5..e4bec41c89 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Install Windows Configuration Designer
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index 9a54b72f77..6da2cc4314 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create a provisioning package with multivariant settings
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 3b50ac1ed9..f9d607c19c 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Provisioning packages for Windows 10
diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md
index 28621fa4b0..27015f653b 100644
--- a/windows/configuration/provisioning-packages/provisioning-powershell.md
+++ b/windows/configuration/provisioning-packages/provisioning-powershell.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # PowerShell cmdlets for provisioning Windows 10 (reference)
diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
index e53ee20836..e3de647451 100644
--- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
+++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Use a script to install a desktop app in provisioning packages
diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
index fcfca68990..5cbafce644 100644
--- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Settings changed when you uninstall a provisioning package
diff --git a/windows/configuration/set-up-a-device-for-anyone-to-use.md b/windows/configuration/set-up-a-device-for-anyone-to-use.md
deleted file mode 100644
index cce5f6428b..0000000000
--- a/windows/configuration/set-up-a-device-for-anyone-to-use.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Set up a device for anyone to use in kiosk mode (Windows 10)
-description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
-ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
-keywords: ["kiosk", "lockdown", "assigned access"]
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: jdeckerms
-localizationpriority: high
----
-
-# Set up a device for anyone to use (kiosk mode)
-
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-**Looking for Windows Embedded 8.1 Industry information?**
-
--   [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653)
-
-You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.
-
-Do you need a computer that can only do one thing? For example:
-
--   A device in the lobby that customers can use to view your product catalog.
-
--   A portable device that drivers can use to check a route on a map.
-
--   A device that a temporary worker uses to enter data.
-
-The following table identifies the type of application that can be used on each Windows 10 edition to create a kiosk device.
-
-> [!NOTE]  
-> A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
-
- 
-
-| Windows 10 edition | Universal Windows app              | Classic Windows application          |
-|--------------------|------------------------------------|--------------------------------------|
-| Mobile             | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
-| Mobile Enterprise  | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
-| Pro                | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
-| Enterprise         | ![supported](images/checkmark.png) | ![supported](images/checkmark.png)   |
-| Education          | ![supported](images/checkmark.png) | ![supported](images/checkmark.png)   |
-
- 
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)</p></td>
-<td align="left"><p>A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the <strong>assigned access</strong> feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use <strong>Shell Launcher</strong> to set a custom user interface as the shell.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)</p></td>
-<td align="left"><p>A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.</p></td>
-</tr>
-</tbody>
-</table>
-
- ## Learn more
-
-[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 41b090e5e9..7a5fa6db77 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up a kiosk on Windows 10 Pro, Enterprise, or Education
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 7a88e367cf..192728ded1 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -6,7 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up a shared or guest PC with Windows 10
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index 5c1898026e..e203016bfa 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/13/2017
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Start layout XML for desktop editions of Windows 10 (reference)
@@ -191,7 +191,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
 
   To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. 
 
-  The following example shows how to pin the Internet Explorer Windows desktop application:
+  The following example shows how to pin the File Explorer Windows desktop application:
 
   ```XML
     <start:DesktopApplicationTile
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 7480c4532f..43804a9a80 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerms
 ---
 
@@ -37,6 +37,25 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
 
 ![tile for MSN and for a SharePoint site](images/edge-with-logo.png)
 
+**Example of secondary tiles in XML generated by Export-StartLayout**
+
+```
+<start:SecondaryTile 
+    AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" 
+    TileID="-9513911450" 
+    DisplayName="Bing" 
+    Size="2x2" 
+    Column="0" 
+    Row="0" 
+    Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x36a8c2e4 -pinnedTimeHigh 0x01d0919b -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000014 http://www.bing.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-9513911450/lowres.png" 
+    Wide310x150LogoUri="ms-appx:///" 
+    ShowNameOnSquare150x150Logo="true" 
+    ShowNameOnWide310x150Logo="true" 
+    BackgroundColor="#7fffffff" 
+  />
+```
+
+
 
 ## Export Start layout and assets
 
@@ -53,6 +72,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
 3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
     - For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"` 
     - Open `C:\Users\<username>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState` and replace those images with your customized images
+    
     >[!TIP]
     >A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images.
         
@@ -80,6 +100,94 @@ In addition to the `./User/Vendor/MSFT/Policy/Config/Start/StartLayout` setting,
 | **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/ImportEdgeAssets**    
 | **Value**                    | Paste the contents of the assets.xml file that you created.                                 |
 
+**Example XML string value for the Start/ImportEdgeAssets policy**
+
+```
+<SecondaryTileAssets>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\30382655640\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII=</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\30382655640\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII=</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\29499280780\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg==</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\29499280780\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg==</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\2819959990\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII=</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\2819959990\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII=</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\39721989420\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg==</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\39721989420\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg==</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\25495229280\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII=</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\25495229280\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII=</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+</SecondaryTileAssets>
+```
+
 ### Using a provisioning package
 
 <span id="escape" />
diff --git a/windows/configuration/start-taskbar-lockscreen.md b/windows/configuration/start-taskbar-lockscreen.md
index cad0f022bc..87b59d4a68 100644
--- a/windows/configuration/start-taskbar-lockscreen.md
+++ b/windows/configuration/start-taskbar-lockscreen.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerms
 ---
 
diff --git a/windows/configuration/stop-employees-from-using-the-windows-store.md b/windows/configuration/stop-employees-from-using-the-windows-store.md
index 43f1bbb647..f8b7650447 100644
--- a/windows/configuration/stop-employees-from-using-the-windows-store.md
+++ b/windows/configuration/stop-employees-from-using-the-windows-store.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store, mobile
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure access to Microsoft Store
@@ -59,10 +59,10 @@ For more information on AppLocker, see [What is AppLocker?](/windows/device-secu
 ## <a href="" id="block-store-group-policy"></a>Block Microsoft Store using Group Policy
 
 
-Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education 
+Applies to: Windows 10 Enterprise, Windows 10 Education 
 
 > [!Note]
-> Not supported on Windows 10 Pro.
+> Not supported on Windows 10 Pro, starting with version 1511. For more info, see [Knowledge Base article #3135657](https://support.microsoft.com/kb/3135657).
 
 You can also use Group Policy to manage access to Microsoft Store.
 
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
new file mode 100644
index 0000000000..d3dd731cdf
--- /dev/null
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -0,0 +1,58 @@
+---
+title: Accounts (Windows 10)
+description: This section describes the account settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Accounts (Windows Configuration Designer reference)
+
+Use these settings to join a device to an Active Directory domain or an Azure Active Directory tenant, or to add local user accounts to the device.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Azure](#azure) | X | X | X |  |  |
+| [ComputerAccount](#computeraccount) | X |   | X |   |  X |
+| [Users](#users) | X |  | X | X |  |
+
+
+## Azure
+
+The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Directory (Azure AD) enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Azure AD enrollment in a wizard, you can switch to the advanced editor to configure additional provisioning settings. For information about using the wizards, see:
+
+- [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md)
+- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
+- [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
+
+## ComputerAccount
+
+Specifies the settings you can configure when joining a device to a domain, including the computer name and the account to use for joining the computer to the domain.
+
+>[!NOTE]
+>If you want to create a provisioning package that joins a device to Active Directory AND sets `HideOobe`, and you want to apply that package during OOBE, we also recommend setting the `ComputerName` and creating a local admin account in the provisioning package.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| Account | string  | Account to use to join computer to domain  |
+| AccountOU | string  | Name of organizational unit for the computer account  |
+| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIALNUMBER% characters in the name.</br></br>ComputerName is a string with a maximum length of 15 bytes of content:</br></br>- ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.</br></br>- ComputerName cannot use spaces or any of the following characters: \{ &#124; \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.</br></br>- ComputerName cannot use some non-standard characters, such as emoji.</br></br>Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](http://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs)  |
+| DomainName | string (cannot be empty) | Specify the name of the domain that the device will join  |
+| Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain.  |
+
+## Users
+
+Use these settings to add local user accounts to the device.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| UserName | string (cannot be empty)  | Specify a name for the local user account  |
+| HomeDir | string (cannot be ampty) | Specify the path of the home directory for the user |
+| Password | string (cannot be empty)  | Specify the password for the user account |
+| UserGroup | string (cannot be empty) | Specify the local user group for the user |
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
new file mode 100644
index 0000000000..daa6ca5eb8
--- /dev/null
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -0,0 +1,97 @@
+---
+title: ADMXIngestion (Windows 10)
+description: This section describes the ADMXIngestion settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# ADMXIngestion (Windows Configuration Designer reference)
+
+Starting in Windows 10, version 1703, you can import (*ingest*) select Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](https://docs.microsoft.com/windows/client-management/mdm/win32-and-centennial-app-policy-configuration). 
+
+- The settings under [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) allow you to set values for policies in the imported ADMX file. 
+- The settings under [ConfigOperations](#configoperations) specify the ADMX file to be imported.
+
+
+>[!IMPORTANT]
+>Only per-device policies can be set using a provisioning package.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy)  | X |  |  |  |  |
+| [ConfigOperations](#configoperations)  | X |   |  |   |   |
+
+## ConfigADMXInstalledPolicy
+
+>[!IMPORTANT]
+>Configure the settings to import the ADMX file in [ConfigOperations](#configoperations) first. 
+
+In **ConfigADMXInstalledPolicy**, you provide a policy setting and value for that policy from the imported ADMX. You will need information from the ADMX that you import in **ConfigOperations** to complete **ConfigADMXInstalledPolicy**.
+
+1. Enter an area name, and then click **Add**. The structure of the area name is the following:
+
+    `AppName (from ConfigOperations)`~`SettingType`~`category name from ADMX`
+    
+    See [Category and policy in ADMX](#category-and-policy-in-admx) for more information. A setting may have multiple levels of category names, as in the following example. 
+    
+    Example: `Office16~Policy~L_MicrosoftOfficemachine~L_Updates`
+    
+2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**. For example, `L_HideEnableDisableUpdates`.
+3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field. For example, `<disabled/>`.
+
+## ConfigOperations
+
+Use **ConfigOperations** to import an ADXM file or policies from an ADMX file.
+
+1. Enter an app name, and then click **Add**. 
+
+    This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Office 16, enter an app name of **Office 16**.
+
+2. Select the app name in the Customizations pane, select a setting type, and then click **Add**. 
+
+    The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add. 
+    
+3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
+
+    The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future. 
+
+4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
+
+    >[!NOTE]
+    >When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).  
+    
+5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
+
+
+<span id="convert" />
+## Convert multi-line to single line
+
+Use the following PowerShell cmdlet to remove carriage returns and line feeds from a multi-line file to create a single-line file that you can paste in **AdmxFileUid**.
+
+```PS
+$path="file path"
+Get-Content $path -Raw).Replace("'r'n","") | Set-Content $path -Force
+```
+
+## Category and policy in ADMX
+
+The following images show snippets of the ADMX file for Office 16 that are used in the examples in the procedures above. The first image highlights the category names.
+
+![Snippet of ADMX shows category names highlighted](../images/admx-category.png)
+
+The next image highlights the specific policy.
+
+![Snipped of ADMX shows policy setting highlighted](../images/admx-policy.png)
+
+
+## Related topics
+
+- [Policy configuration service provider (CSP): ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed)
+- [Understanding ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/understanding-admx-backed-policies)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-applicationmanagement.md b/windows/configuration/wcd/wcd-applicationmanagement.md
new file mode 100644
index 0000000000..f032ce168c
--- /dev/null
+++ b/windows/configuration/wcd/wcd-applicationmanagement.md
@@ -0,0 +1,69 @@
+---
+title: ApplicationManagement (Windows 10)
+description: This section describes the ApplicationManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# ApplicationManagement (Windows Configuration Designer reference)
+
+Use these settings to manage app installation and management.
+
+## Applies to
+
+| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAllTrustedApps](#allowalltrustedapps) |  |  |  |  | X |
+| [AllowAppStoreAutoUpdate](#allowappstoreautoupdate) |  |   |  |   |  X |
+| [RestrictAppDataToSystemVolume](#restrictappdatatosystemvolume) |  |   |  |   |  X |
+| [RestrictAppToSystemVolume](#restrictapptosystemvolume) |  |  |  |  | X |
+
+## AllowAllTrustedApps
+
+Specifies whether non-Microsoft Store apps are allowed.
+
+| Value | Description |
+| --- | --- |
+| No | Only Microsoft Store apps are allowed  |
+| Yes  | Non-Microsoft Store apps are allowed  |
+
+## AllowAppStoreAutoUpdate
+
+Specifies whether automatic update of apps from Microsoft Store are allowed
+
+| Value | Description |
+| --- | --- |
+| Disallowed  | Automatic update of apps is not allowed  |
+| Allowed | Automatic update of apps is allowed |
+
+
+## RestrictAppDataToSystemVolume
+
+Specifies whether application data is restricted to the system drive.
+
+| Value | Description |
+| --- | --- |
+| 0  | Not restricted  |
+| 1 | Restricted |
+
+
+## RestrictAppToSystemVolume
+
+Specifies whether the installation of applications is restricted to the system drive.
+
+| Value | Description |
+| --- | --- |
+| 0  | Not restricted  |
+| 1 | Restricted |
+
+## Related topics
+
+- [Policy configuration service provider (CSP): ApplicationManagement/AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps)
+- [Policy CSP: ApplicationManagement/AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate)
+- [Policy CSP: ApplicationManagement/RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume)
+- [Policy CSP: ApplicationManagement/RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
new file mode 100644
index 0000000000..ad5d7551fb
--- /dev/null
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -0,0 +1,35 @@
+---
+title: AssignedAccess (Windows 10)
+description: This section describes the AssignedAccess setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# AssignedAccess (Windows Configuration Designer reference)
+
+Use this setting to configure single use (kiosk) devices.
+
+## Applies to
+
+| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [AssignedAccessSettings](#assignedaccesssettings)  | X |  |  | X |  |
+
+
+## AssignedAccessSettings
+
+Enter the account and the application you want to use for Assigned access, using [the AUMID](https://msdn.microsoft.com/windows/hardware/commercialize/customize/enterprise/find-the-application-user-model-id-of-an-installed-app). When that user account signs in on the device, only the specified app will run. 
+
+**Example**:
+
+```
+"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"
+```
+## Related topics
+
+- [AssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/assignedaccess-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-automatictime.md b/windows/configuration/wcd/wcd-automatictime.md
new file mode 100644
index 0000000000..abb8bbd179
--- /dev/null
+++ b/windows/configuration/wcd/wcd-automatictime.md
@@ -0,0 +1,45 @@
+---
+title: AutomaticTime (Windows 10)
+description: This section describes the AutomaticTime settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# AutomaticTime (Windows Configuration Designer reference)
+
+Use these settings to configure automatic time updates.
+
+## Applies to
+
+| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [NTPRegularSyncInterval](#ntpregularsyncinterval)  |  | X |  |  |  |
+| [NTPRetryInterval](#ntpretryinterval)  |  | X |  |  |  |
+| [NTPServer](#ntpserver)  |  | X |  |  |  |
+
+
+## NTPRegularSyncInterval
+
+Set the regular sync interval for phones that are set to use Network Time Protocol (NTP) time servers. Select a value between `1` and `168` hours, inclusive, The default sync interval is `12` hours.
+
+
+## NTPRetryInterval
+
+Set the retry interval if the regular sync fails. Select a value between `1` and `24` hours, inclusive. 
+
+## NTPServer
+
+Change the default NTP server for phones that are set to use NTP. To enumerate the NTP source server(s) used by the NTP client, set the value for NTPServer to a list of server names, delimited by semi-colons. 
+
+**Example**:
+
+```
+ntpserver1.contoso.com;ntpserver2.fabrikam.com;ntpserver3.contoso.com
+```
+
+The list should contain one or more server names. The default NTP source server value is `time.windows.com`.
diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md
new file mode 100644
index 0000000000..787b6fa65b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-browser.md
@@ -0,0 +1,86 @@
+---
+title: Browser (Windows 10)
+description: This section describes the Browser settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Browser (Windows Configuration Designer reference)
+
+Use to configure browser settings that should only be set by OEMs who are part of the Partner Search Code program.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Favorites](#favorites) |  |  X  |  |  |  |
+| [PartnerSearchCode](#partnersearchcode)  | X | X | X | X |  |
+| [SearchProviders](#searchproviders) |   |  X  |  |  |  |
+
+## Favorites
+
+Use to configure the default list of Favorites that show up in the browser.
+
+To add a new item under the browser's **Favorites** list:
+
+1. In the **Name** field, enter a friendly name for the item, and then click **Add**.
+
+2. In the **Available customizations** pane, select the friendly name that you just created, and in the text field, enter the URL for the item.
+
+For example, to include the corporate Web site to the list of browser favorites, a company called Contoso can specify **Contoso** as the value for the name and "http://www.contoso.com" for the URL. 
+
+
+## PartnerSearchCode
+
+>[!IMPORTANT]
+>This setting should only be set by OEMs who are part of the Partner Search Code program.
+
+Set the value to a character string that corresponds to the OEM's Partner Search Code. This identification code must match the one assigned to you by Microsoft.
+
+OEMs who are part of the program only have one PartnerSearchCode and this should be used for all Windows 10 for desktop editions images.
+
+ 
+
+
+## SearchProviders
+
+Contains the settings you can use to configure the default and additional search providers.
+
+Microsoft Bing is the default search provider for Windows 10 Mobile. The default search provider must be set to Bing, except for devices shipping to certain countries where a different default search provider is required as specified in the [Specific region guidance](#specific-region-guidance) section of [Default](#default).
+
+
+### Default
+
+Use *Default* to specify a name that matches one of the search providers you enter in [SearchProviderList](#searchproviderlist). If you don't specify a default search provider, this will default to Microsoft Bing. 
+
+#### Specific region guidance
+
+Some countries require specific, default search providers. The following table lists the applicable countries and information for configuring the necessary search provider.
+
+>[!NOTE]
+>For Russia + Commonwealth of Independent States (CIS), the independent states consist of Russia, Ukraine, Georgia, The Republic of Azerbaijan, Republic Of Belarus, The Republic of Kazakhstan, The Kyrgyz Republic, The Republic of Moldova, The Republic of Tajikistan, The Republic of Armenia, Turkmenistan, The Republic of Uzbekistan, and Turkey.
+
+
+
+### SearchProviderList
+
+Use to specify a list of additional search providers.
+
+1. In the **Name** field, enter a name for the item, and then click **Add**.
+
+2. In the **Available customizations** pane, select the name that you just created, and in the text field, enter the URL for the additional search provider.
+
+For example, to specify Yandex in Russia and Commonwealth of Independent States (CIS), set the value of URL to "https://yandex.ru/search/touch/?text={searchTerm}&clid=2234144".
+
+When configured with multiple search providers, the browser can display up to ten search providers.
+
+>[!IMPORTANT]
+>Microsoft Bing is the default search provider for Windows 10 Mobile. The default search provider must be set to Bing, except for devices shipping to certain countries where a different default search provider is required as specified in the [Specific region guidance](#specific-region-guidance) section of [Default](#default).
+
+
+
diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
new file mode 100644
index 0000000000..bb07ccc02c
--- /dev/null
+++ b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
@@ -0,0 +1,36 @@
+---
+title: CallAndMessageEnhancement (Windows 10)
+description: This section describes the CallAndMessagingEnhancement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# CallAndMessagingEnhancement (Windows Configuration Designer reference)
+
+Use to configure call origin and blocking apps.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [BlockingApp](#blockingapp) |  |  X  |  |  |  |
+| [CallOriginApp](#calloriginapp) |  |  X  |  |  |  |
+
+## BlockingApp
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| ActiveBlockingAppUserModelId  | AUMID  | The AUMID of the application that will be set as the active blocking app by default.  |
+| DefaultBlockingAppUserModelId  | AUMID  | The AUMID of the application that the OS will select as the active blocking app if the user uninstalls the current active blocking app. This app should be uninstallable. |
+
+## CallOriginApp
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| ActiveCallOriginAppUserModelId  | AUMID  | The AUMID of the application to be set as the active call origin provider app by default.  |
+| DefaultCallOriginAppUserModelId  | AUMID  | The AUMID of the application that the OS will select as the active call origin provider app if the user uninstalls the current active call origin app. This app should be uninstallable.  |
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
new file mode 100644
index 0000000000..64258bbe02
--- /dev/null
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -0,0 +1,43 @@
+---
+title: Cellular (Windows 10)
+description: This section describes the Cellular settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Cellular (Windows Configuration Designer reference)
+
+Use to configure settings for cellular connections.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [AccountExperienceURL](#accountexperienceurl) | X |    |  |  |  |
+| [AppID](#appid) | X |    |  |  |  |
+| [NetworkBlockList](#networkblocklist) | X |    |  |  |  |
+| [SIMBlockList](#simblocklist) | X |    |  |  |  |
+
+
+To begin, enter a SIM integrated circuit card identifier (**SimIccid**), and click **Add**. In the **Customizations** pane, select the SimIccid that you just entered and configure the following settings for it.
+
+## AccountExperienceURL
+
+Enter the URL for the mobile operator's web page.
+
+## AppID
+
+Enter the AppID for the mobile operator's app in Microsoft Store.
+
+## NetworkBlockList
+
+Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
+
+## SIMBlockList
+
+Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md
new file mode 100644
index 0000000000..6347a4795d
--- /dev/null
+++ b/windows/configuration/wcd/wcd-certificates.md
@@ -0,0 +1,71 @@
+---
+title: Certificates (Windows 10)
+description: This section describes the Certificates settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Certificates (Windows Configuration Designer reference)
+
+Use to deploy Root Certificate Authority (CA) certificates to devices. The following list describes the purpose of each setting group.
+
+- In [CACertificates](#cacertificates), you specify a certificate that will be added to the Intermediate CA store on the target device.
+- In [ClientCertificates](#clientcertificates), you specify a certificate that will be added to the Personal store on the target device, and provide (password, keylocation), (and configure whether the certificate can be exported).
+- In [RootCertificates](#rootcertificates), you specify a certificate that will be added to the Trusted Root CA store on the target device.
+- In [TrustedPeopleCertificates](#trustedpeoplecertificates), you specify a certificate that will be added to the Trusted People store on the target device.
+- In [TrustedProvisioners](#trustedprovisioners), you specify a certificate which allows devices to automatically trust packages from the specified publisher.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All setting groups | X |  X | X | X | X |
+
+
+## CACertificates
+
+1. In **Available customizations**, select **CACertificates**, enter a friendly name for the certificate, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. 
+3. In **CertificatePath**, browse to or enter the path to the certificate.
+
+
+## ClientCertificates
+
+1. In **Available customizations**, select **ClientCertificates**, enter a friendly name for the certificate, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. Settings in **bold** are required.
+
+| Setting | Value | Description | 
+| --- | --- | ---- | 
+| **CertificatePassword** | |  |
+| **CertificatePath** |  | Adds the selected certificate to the Personal store on the target device. |
+| ExportCertificate | True or false | Set to **True** to allow certificate export.  |
+| **KeyLocation** | - TPM only</br>- TPM with software fallback</br>- Software only  |  |
+
+## RootCertificates
+
+1. In **Available customizations**, select **RootCertificates**, enter a friendly name for the certificate, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. 
+3. In **CertificatePath**, browse to or enter the path to the certificate.
+
+## TrustedPeopleCertificates
+
+1. In **Available customizations**, select **TrustedPeopleCertificates**, enter a friendly name for the certificate, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. 
+3. In **TrustedCertificate**, browse to or enter the path to the certificate.
+
+
+## TrustedProvisioners
+
+1. In **Available customizations**, select **TrustedPprovisioners**, enter a CertificateHash, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. 
+3. In **TrustedProvisioner**, browse to or enter the path to the certificate.
+
+## Related topics
+
+
+- [RootCATrustedCertficates configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/rootcacertificates-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md
new file mode 100644
index 0000000000..ec1f5eaadc
--- /dev/null
+++ b/windows/configuration/wcd/wcd-cleanpc.md
@@ -0,0 +1,28 @@
+---
+title: CleanPC (Windows 10)
+description: This section describes the CleanPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# CleanPC (Windows Configuration Designer reference)
+
+Use to remove user-installed and pre-installed applications, with the option to persist user data.
+
+## Applies to
+
+| Settings  | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| CleanPCRetainingUserData | X |    |  |  |  |
+| CleanPCWithoutRetainingUserData | X |    |  |  |  |
+
+For each setting, the options are **Enable** and **Not configured**. 
+
+## Related topics
+
+- [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
new file mode 100644
index 0000000000..1ce0db8e5b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -0,0 +1,45 @@
+---
+title: Connections (Windows 10)
+description: This section describes the Connections settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Connections (Windows Configuration Designer reference)
+
+Use to configure settings related to variou types of phone connections.
+
+## Applies to
+
+| Setting groups  | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Cellular](#cellular)  | X |  X  | X | X |  |
+| [EnterpriseAPN](#enterpriseapn) | X |  X  | X | X |  |
+| [Policies](#policies) | X |  X  | X | X |  |
+| [Proxies](#proxies) | X |  X  | X | X |  |
+
+For each setting group:
+1. In **Available customizations**, select the setting group (such as **Cellular**), enter a friendly name for the connection, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. 
+
+## Cellular
+
+See [CM_CellularEntries configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cm-cellularentries-csp) for settings and values.
+
+## EnterpriseAPN
+
+See [Configure cellular settings for tablets and PCs](https://docs.microsoft.com/windows/configuration/provisioning-apn) and 
+[EnterpriseAPN CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseapn-csp) for settings and values.
+
+## Policies
+
+See [CMPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cmpolicy-csp) for settings and values.
+
+## Proxies
+
+See [CM_ProxyEntries CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cm-proxyentries-csp) for settings and values.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
new file mode 100644
index 0000000000..bb7d3366c0
--- /dev/null
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -0,0 +1,183 @@
+---
+title: ConnectivityProfiles (Windows 10)
+description: This section describes the ConnectivityProfile settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# ConnectivityProfiles (Windows Configuration Designer reference)
+
+Use to configure profiles that a user will connect with, such as an email account or VPN profile.
+
+## Applies to
+
+| Setting groups  | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Email](#email)  | X |  X  | X | X | X |
+| [Exchange](#exchange) | X |  X  | X | X | X |
+| [KnownAccounts](#knownaccounts) | X |  X  | X | X | X |
+| [VPN](#vpn) | X |  X  | X | X | X |
+| [WiFiSense](#wifisense) | X |  X  | X | X | X |
+| [WLAN](#wlan) | X |  X  | X | X | X |
+
+## Email
+
+Specify an email account to be automatically set up on the device. 
+
+1. In **Available customizations**, select **Email**, enter a friendly name for the account, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure for each account. Settings in **bold** are required.
+
+| Setting | Description | 
+| --- | --- |
+| **AccountType** | Select between **Normal email** and **Visual voice mail** |
+| AuthForOutgoingMail | Set to **True** if the outgoing server requires authentication |
+| Domain | Enter the domain for the account |
+| HaveAlternateCredentialsForSMTP | Specify whether the user's alternate SMTP account is enabled. If enabled, configure the **SMTPDomain**, **SMTPName**, and **SMTPPassword** settings |
+| InboxUpdateFrequency | Specify the time between email send/receive updates, in minutes. Available values are:</br></br>- Manual update</br>- Every 2 hours</br>- Every 15 minutes</br>- Every 30 minutes</br>- Every hour  |
+| **IncomingMailServerName** | Enter the name of the messaging service's incoming email server |
+| **OutgoingServerName** | Enter the name of the messaging service's outgoing mail server  |
+| Password | Enter the password for the account |
+| ReplyAddress | Enter the reply address for the account  |
+| SenderName | Enter the name of the sender for the account |
+| **ServiceName** | Enter the name of the email service |
+| **ServiceType** | Select **IMAP4** or **POP3** for service type |
+| SMTPDomain | Enter the domain name for the user's alternate SMTP account, if **HaveAlternateCredentialsForSMTP** is enabled  |
+| SMTPName | Enter the display name associated with the user's alternate SMTP account, if **HaveAlternateCredentialsForSMTP** is enabled |
+| SMTPPassword | Enter the password for the user's alternate SMTP account, if **HaveAlternateCredentialsForSMTP** is enabled  |
+| SSLIncoming | Specify whether the incoming email server uses SSL |
+| SSLOutgoing | Specify whether the outgoing email server uses SSL |
+| SyncOptions | Specify how many days' worth of emails should be downloaded from the server. Available values are:</br></br>- All mail</br>- Two weeks</br>- One month</br>- One week |
+| **UserName** | Enter the user name for the account |
+
+## Exchange
+
+Configure settings related to Exchange email server. These settings are related to the [ActiveSync configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/activesync-csp).
+
+
+1. In **Available customizations**, select **Exchange**, enter a name for the account, and then click **Add**. A globally unique identifier (GUID) is generated for the account.
+2. In **Available customizations**, select the GUID that you just created. The following table describes the settings you can configure. Settings in **bold** are required.
+
+| Setting | Description | 
+| --- | --- |
+| AccountIcon | Specify the location of the icon associated with the account.</br></br>The account icon can be used as a tile in the Start list or as an icon in the applications list under **Settings > Email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at `res://AccountSettingsSharedRes{ScreenResolution}!%s.genericmail.png`. The suggested icon for Exchange Accounts is at `res://AccountSettingsSharedRes{ScreenResolution}!%s.office.outlook.png`. Custom icons can be added if desired. |
+| **AccountName** | Enter the name that refers to the account on the device |
+| **AccountType** | Select **Exchange** |
+| **DiagnosticLogging** | Select whether to disable logging, enable basic logging, or enable advanced logging |
+| Domain | Enter the domain name of the Exchange server |
+| **EmailAddress** | Enter the email address associated with the Exchange ActiveSync account. |
+| **MailAgeFilter** | Specify the time window used for syncing email items to the device. Available values are:</br></br>- All email is synced</br>- Only email up to three days old is synced</br>-Email up to a week old is synced (default)</br>- Email up to two weeks old is synced</br>- Email up to a month old is synced  |
+| **Password** | Enter the password for the account |
+| **Schedule** | Specify the time until the next sync is performed, in minutes. Available values are:</br></br>- As items are received (default)</br>- Sync manually</br>- Every 15 minutes</br>- Every 30 minutes</br>- Every 60 minutes |
+| **ServerName**| Enter the server name used by the account |
+| SyncCalendar_Enable | Enable or disable calendar sync |
+| SyncCalendar_Name | If you enable calendar sync, enter **Calendar** |
+| SyncContacts_Enable | Enable or disable contacts sync |
+| SyncContacts_Name | If you enable contacts sync, enter **Contacts** |
+| SyncEmail_Enable| Enable or disable email sync  |
+| SyncEmail_Name | If you enable email sync, enter **Email** |
+| SyncTasks_Enable | Enable or disable tasks sync |
+| SyncTasks_Name | If you enable tasks sync, enter **Tasks** |
+| **UserName** | Enter the user name for the account |
+| UseSSL | Specify whether to use Secure Sockets Layer (SSL) |
+
+## KnownAccounts
+
+Configure the settings to add additional email accounts.
+
+| Setting | Description |
+| --- | --- |
+| KnownAccountsOEM |Enter the source or file location of the KnownAccountsOEM.xml file on your development workstation. |
+| OemFilePath | Enter the name of the XML file that defines the new account to be added. The name must be KnownAccountsOEM.xml.  |
+
+## VPN
+
+Configure settings to change the default maximum transmission unit ([MTU](#mtu)) size settings for Point-to-Point Protocol (PPP) connections or for virtual private network (VPN) connections, or to create a [VPN profile](#vpn).
+
+### MTU
+
+| Setting | Description |
+| --- | --- |
+| PPPProtocolType  | Select **VPNPPPProtocolType**  |
+| ProtocolType | Select **VPNProtocolType** |
+| TunnelMTU | Enter the desired MTU size, between **1** and **1500** |
+
+### VPN
+
+1. In **Available customizations**, select **VPNSetting**, enter a friendly name for the account, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. Settings in **bold** are required.
+
+| Setting | Description |
+| --- | --- |
+| **ProfileType**  | Choose between **Native** and **Third Party**  |
+| RememberCredentials | Select whether credentials should be cached |
+| AlwaysOn | Set to **True** to automatically connect the VPN at sign-in  |
+| LockDown | When set to **True**:</br>- Profile automatically becomes an "always on" profile</br>- VPN cannot be disconnected</br>-If the profile is not connected, the user has no network connectivity</br>- No other profiles can be connected or modified |
+| ByPassForLocal | When set to **True**, requests to local resources on the same Wi-Fi neetwork as the VPN client can bypass VPN  |
+| DnsSuffix | Enter one or more comma-separated DNS suffixes. The first suffix listed is usedas the primary connection-specific DNS suffix for the VPN interface. The list is added to the SuffixSearchList.  |
+| TrustedNetworkDetection | Enter a comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. |
+| Proxy | Configure to **Automatic** or **Manual**  |
+| ProxyAutoConfigUrl  | When **Proxy** is set to **Automatic**, enter the URL to automatically retrieve the proxy settings |
+| ProxyServer | When **Proxy** is set to **Manual**, enter the proxy server address as a fully qualified hostname or enter `IP address:Port` |
+
+## WiFiSense
+
+Configure settings related to Wi-Fi Sense. 
+
+### Config
+
+The **Config** settings are initial settings that can be overwritten when settings are pushed to the device by the cloud. 
+
+| Setting | Description |
+| --- | --- |
+| WiFiSharingFacebookInitial | Enable or disable sharing of Wi-Fi networks with Facebook contacts  |
+| WiFiSharingOutlookInitial | Enable or disable sharing of Wi-Fi networks with Outlook contacts |
+| WiFiSharingSkypeInitial | Enable or disable sharing of Wi-Fi networks with Skype contacts |
+
+### FirstBoot 
+
+| Setting | Description |
+| --- | --- |
+| DefaultAutoConnectOpenState | When enabled, the OOBE Wi-Fi Sense checkbox to automatically connect to open networks will be checked. |
+| DefaultAutoConnectSharedState | When enabled, the OOBE Wi-Fi Sense checkbox to share networks with contacts will be checked. |
+| WiFiSenseAllowed | Enable or disable Wi-Fi Sense. Wi-Fi Sense features include auto-connect to Wi-Fi hotspots and credential sharing. |
+
+### SystemCapabilities 
+
+You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 10. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Telemetry data is generated by the system to provide data that can be used to diagnose both software and hardware issues. 
+
+| Setting | Description | 
+| --- | --- |
+| CoexistenceSupport | Specify the type of co-existence that's supported on the device:</br></br>- **Both**: Both Wi-Fi and Bluetooth work at the same performance level during co-existence</br>- **Wi-Fi reduced**: On a 2X2 system, Wi-Fi performance is reduced to 1X1 level</br>- **Bluetooth centered**: When co-existing, Bluetooth has priority and restricts Wi-Fi performance</br>- **One**: Either Wi-Fi or Bluetooth will stop working  |
+| NumAntennaConnected | Enter the number of antennas that are connected to the WLAN radio |
+| SimultaneousMultiChannelSupported | Enter the maximum number of channels that the Wi-Fi device can simultaneously operate on. For example, you can use this to specify support for Station mode and Wi-Fi Direct GO on separate channels simultaneously.  |
+| WLANFunctionLevelDeviceResetSupported | Select whether the device supports functional level device reset (FLDR). The FLDR feature in the OS checks this system capability exclusively to determine if it can run. |
+| WLANPlatformLevelDeviceResetSupported | Select whether the device supports platform level device reset (PLDR). The PLDR feature in the OS checks this system capability exclusively to determine if it can run. |
+
+
+## WLAN
+
+Configure settings for wireless connectivity.  
+
+### Profiles
+
+**To add a profile**
+
+1. Create [the wireless profile XML](https://msdn.microsoft.com/library/windows/desktop/aa369853.aspx).
+2. In **WLAN > Profiles**, browse to and select the profile XML file.
+3. Click **Add**.
+
+### WLANXmlSettings
+
+Enter a SSID, click **Add**, and then configure the following settings for the SSID.
+
+| Settings | Description |
+| --- |  --- |
+| ProxyServerPort |  (Optional) Specify the configuration of the network proxy as **host:port**. A proxy server host and port can be specified per connection for Windows 10 for mobile devices. The host can be server name, FQDN, or SLN or IPv4 or IPv6 address. This proxy configuration is only supported in Windows 10 for mobile devices. Using this configuration in Windows 10 for desktop editions will result in failure.   |
+| AutoConnect |  (Optional) Select **True** or **false** to specify whether to automatically connect to WLAN.     |
+| HiddenNetwork |  (Optional) Select **True** or **false** to specify whether the network is hidden.    |
+| SecurityType |  Choose between **Open**, **WEP**, and **WPA2-Personal**. </br></br>If you select **WEP** or **WPA2-Personal**, enter the **SecurityKey** required by the WLAN.    |
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md
new file mode 100644
index 0000000000..aea53e22de
--- /dev/null
+++ b/windows/configuration/wcd/wcd-countryandregion.md
@@ -0,0 +1,23 @@
+---
+title: CountryAndRegion (Windows 10)
+description: This section describes the CountryAndRegion settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# CountryAndRegion (Windows Configuration Designer reference)
+
+Use to configure a setting that partners must customize to ship Windows devices to specific countries/regions.
+
+## Applies to
+
+| Setting groups  | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| CountryCodeForExtendedCapabilityPrompts | X  | X | X | X |  |
+
+You can set the **CountryCodeForExtendedCapabilityPrompts** setting for **China** to enable additional capability prompts when apps use privacy-sensitive features (such as Contacts or Microphone). 
diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
new file mode 100644
index 0000000000..1cf770db9b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
@@ -0,0 +1,22 @@
+---
+title: DesktopBackgrounAndColors (Windows 10)
+description: This section describes the DesktopBackgrounAndColors settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# DesktopBackgrounAndColors (Windows Configuration Designer reference)
+
+Do not use. Instead, use the [Personalization settings](wcd-personalization.md).
+
+## Applies to
+
+| Setting groups  | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X  |  |  |  |  |
+
diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
new file mode 100644
index 0000000000..e7c4378477
--- /dev/null
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -0,0 +1,37 @@
+---
+title: DeveloperSetup (Windows 10)
+description: This section describes the DeveloperSetup settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# DeveloperSetup (Windows Configuration Designer reference)
+
+Use to unlock developer mode on HoloLens devices and configure authentication to Windows Device Portal.
+
+## Applies to
+
+| Setting groups  | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [EnableDeveloperMode](#enabledevelopermode) |   |  |  | X |  |
+| [AuthenticationMode](#authenticationmode) |   |  |  | X |  |
+
+
+<span id="enabledevelopermode" />
+## DeveloperSetupSettings: EnableDeveloperMode
+
+When this setting is configured as **True**, the device is unlocked for developer functionality.
+
+<span id="authenticationmode" />
+## WindowsDevicePortalSettings: Authentication Mode
+
+When AuthenticationMode is set to **Basic Auth**, enter a user name and password to enable the device to connect to and authenticate with the Windows Device Portal.
+
+## Related topics
+
+- [Device Portal for HoloLens](https://docs.microsoft.com/windows/uwp/debug-test-perf/device-portal-hololens)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md
new file mode 100644
index 0000000000..dc1e5cd524
--- /dev/null
+++ b/windows/configuration/wcd/wcd-deviceformfactor.md
@@ -0,0 +1,67 @@
+---
+title: DeviceFormFactor (Windows 10)
+description: This section describes the DeviceFormFactor setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# DeviceFormFactor (Windows Configuration Designer reference)
+
+Use to identify the form factor of the device.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| DeviceForm | X  | X | X | X |  |
+
+Specifies the device form factor running Windows 10. Generally, the device form is set by the original equipment manufacturer (OEM), however you might want to change the device form based on its usage in your organization.
+
+DeviceForm supports the following features or components:
+
+- Cortana and Bing use the DeviceForm value to determine the accuracy of specific signals, such as location (GPS versus Wi-Fi versus reverse IP address lookup).
+- Windows 10 features, such as Bluetooth and camera, may require DeviceForm to be accurately configured for full functionality.
+
+Select the appropriate form from the dropdown menu.
+
+| Device form | Description |
+| --- | --- |
+| Phone | A typical smartphone combines cellular connectivity, a touch screen, rechargeable power source, and other components into a single chassis. | 
+| LargeScreen | Microsoft Surface Hub |
+| HMD | (Head-mounted display) A holographic computer that is completely untethered - no wires, phones, or connection to a PC needed. |
+| IndustryHandheld | A device screen less than 7” diagonal designed for industrial solutions. May or may not have a cellular stack.  |
+| IndustryTablet | A device with an integrated screen greater than 7” diagonal and no attached keyboard designed for industrial solutions as opposed to consumer personal computer. May or may not have a cellular stack. |
+| Banking | A machine at a bank branch or another location that enables customers to perform basic banking activities including withdrawing money and checking one's bank balance. |
+| BuildingAutomation | A controller for industrial environments that can include the scheduling and automatic operation of certain systems such as conferencing, heating and air conditioning, and lighting. |
+| DigitalSignage | A computer or playback device that's connected to a large digital screen and displays video or multimedia content for informational or advertising purposes. |
+| Gaming | A device that's used for playing a game. It can be mechanical, electronic, or electromechanical equipment. |
+| HomeAutomation | A controller that can include the scheduling and automatic operation of certain systems including heating and air conditioning, security, and lighting. |
+| Industrial Automation | Computers that are used to automate manufacturing systems such as controlling an assembly line where each station is occupied by industrial robots.  |
+| Tablet | A device with an integrated screen that's less than 18". It combines a touch screen, rechargeable power source, and other components into a single chassis with an optional attachable keyboard. |
+| Kiosk | An unattended structure that can include a keyboard and touch screen and provides a user interface to display interactive information and allow users to get more information. |
+| MakerBoard | A  low-cost and compact development board that's used for prototyping any number IoT-related things. |
+| Medical | Devices built specifically to provide medical staff with information about the health and well-being of a patient. |
+| Networking | A device or software that determines where messages, packets, and other signals will go next. |
+| POS | (Point of Service) An electronic cash register or self-service checkout. |
+| Printing | A printer, copy machine, or a combination of both. |
+| ThinClient | A device that connects to a server to perform computing tasks as opposed to running apps locally. |
+| Toy | A device used solely for enjoyment or entertainment. |
+| Vending | A machine that dispenses items in exchange for payment in the form of coin, currency, or credit/debit card. |
+| IndustryOther |A device that doesn't fit into any of the previous categories.  |
+| Desktop | A desktop PC form factor traditional comes in an upright tower or small desktop chassis and does not have an integrated screen. |
+| Notebook | A notebook is a portable clamshell device with an attached keyboard that cannot be removed. |
+| Convertible | A convertible device is an evolution of the traditional notebook where the keyboard can be swiveled, rotated or flipped, but not completely removed. It is a blend between a traditional notebook and tablet, also called a 2-in-1. |
+| Detachable | A detachable device is an evolution of the traditional notebook where the keyboard can be completely removed. It is a blend between a traditional notebook and tablet, also called a 2-in-1. |
+| AIO | An All-in-One (AIO) device is an evolution of the traditional desktop with an attached display. |
+| Stick | A device that turns your TV into a Windows computer. Plug the stick into the HDMI slot on the TV and connect a USB or Bluetooth keyboard or mouse. |
+| Puck | A small-size PC that users can use to plug in a monitor and keyboard. |
+ 
+
+
+
+ 
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
new file mode 100644
index 0000000000..9297174468
--- /dev/null
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -0,0 +1,92 @@
+---
+title: DeviceManagement (Windows 10)
+description: This section describes the DeviceManagement setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# DeviceManagement (Windows Configuration Designer reference)
+
+Use to...
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Accounts](#accounts) | X  | X | X | X |  |
+| [PGList](#pglist) | X  | X | X | X |  |
+| [Policies](#policies) | X  | X | X | X |  |
+| [TrustedProvisioningSource](#trustedprovisioningsource) | X  | X | X | X |  |
+
+## Accounts
+
+1. In **Available customizations**, select **Accounts**, enter a friendly name for the account, and then click **Add**.
+2. In **Available customizations**, select the account that you just created. The following table describes the settings you can configure. Settings in **bold** are required.
+
+| Setting | Description | 
+| --- | --- |
+| **Address** | Enter the OMA DM server address  |
+| **AddressType** | Choose between **IPv4** and **URI** for the type of OMA DM server address. The default value of **URI** specifies that the OMA DM account address is a URI address. A value of **IPv4** specifies that the OMA DM account address is an IP address. |
+| **AppID** | Select **w7** |
+| Authentication > Credentials | 1. Select a credentials level (CLCRED or SRVCRED). A value of **CLCRED** indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of **SRVCRED** indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level. </br>2. In **Available customizations**, select the level.</br>3. For **Data**, enter the authentication nonce as a Base64 encoded string.</br>4. For **Level**, select **CLCRED** or **SRVCRED**.</br>5. For **Name**, enter the authentication name.</br>6. For **Secret**, enter the password or secret used for authentication.</br>7. For **Type**, select between **Basic**, **Digest**, and **HMAC**. For **CLCRED**, the supported values are **BASIC** and **DIGEST**. For **SRVCRED**, the supported value is **DIGEST**.  |
+| AuthenticationPreference | Select between **Basic**, **Digest**, and **HMAC** |
+| BackCompatRetryDisabled | Specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr on subsequent attempts (not including the first time). The default value of "FALSE" indicates that backward-compatible retries are enabled. A value of "TRUE" indicates that backward-compatible retries are disabled.  |
+| ConnectionRetries | Enter a number to specify how many retries the DM client performs when there are Connection Manager-level or wininet-level errors. The default value is `3`. |
+| CRLCheck | Specify whether a CRL Check should be performed. Allows connection to the DM server to check the Certificate Revocation List (CRL). Set to **True** to enable SSL revocation. |
+| DefaultEncoding | Select whether the OMA DM client will use **WBXML** or **XML** for the DM package when communicating with the server |
+| DisableOnRoaming | Specify whether the client will connect while cellular roaming |
+| InitialBackOffTime | Specify the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry  |
+| InitiateSession | Specify whether a session should be started with the MDM server when the account is provisioned |
+| MaxBackOffTime | Specify the maximum number of milliseconds to wait before attemption a connection retry |
+| Name | Enter a display name for the management server  |
+| Port | Enter the OMA DM server port |
+| PrefConRef | Enter a URI to NAP management object or a connection GUID used by the device Connection Manager |
+| ProtocolVersion | Select between **1.1** and **1.2** for the OMA DM protocol version that the server supports |
+| **Role** | Select between **Enterprise** and **Mobile Operator** for the role mask that the DM session runs with when it communicates with the server |
+| **ServerID** | Enter the OMA DM server's unique identifier for the current OMA DM account |
+| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certficate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). |
+| UseHardwareDeviceID | Specify whether to use the hardware ID for the ./DevInfo/DevID parameter in the DM account to identify the device |
+| UseNonceResync | Specify whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication |
+
+
+## PGList
+
+1. In **Available customizations**, select **PGList**, enter a LogicalProxyName, and then click **Add**.
+2. In **Available customizations**, select the LogicalProxyName that you just created, and then select **PhysicalProxies**.
+3. Enter a PhysicalProxyName, and then click **Add**. The following table describes the settings you can configure for the physical proxy and for **Trust**. 
+
+| Setting | Description | 
+| --- | --- |
+| Address | Enter the address of the physical proxy |
+| AddressType | Select between **E164**, **IPV4**, and **IPV^** for the format and protocol of the PXADDR element for a physical proxy |
+| MatchedNapID | Enter a string that defines the SMS bearer. This string must match the NAPID exactly. The value must contains MVID macro if it is an IPv4 PXADDRTYPE.  |
+| PushEnabled | Select whether push operations are enabled  |
+| Trust | Specify whether or not the physical proxies in this logical proxy are privileged  |
+
+
+## Policies
+
+The following table describes the settings you can configure for **Policies**.
+
+| Setting | Description |
+| --- | --- |
+| MMS > MMSMessageRoles | Select between **SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. If a message contains at least one of the roles in the selected role mask, then the message is processed.  |
+| OMACP > NetwpinRoles | Select a policy role to specify whether OMA network PIN-signed messages will be accepted. OMA Client Provisioning Network PIN policy determines whether the OMA network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.</br></br>Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**.</BR></br>**Note**  IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM. |
+| OMACP > UsernetwpinRoles | Select a policy role to specify whether the OMA user network PIN-signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.</br></br>Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**.</BR></br>**Note** IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM. |
+| OMACP > UserpinRoles | Select a policy role to specify whether the OMA user PIN or user MAC signed message will be accepted. OMA Client Provisioning User PIN policy determines whether the OMA user PIN or user MAC signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.</br></br>Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. |
+| SISL > ServiceIndicationRoles | Specify the security roles that can accept SI messages. Service Indication (SI) Message policy indicates whether SI messages are accepted by specifying the security roles that can accept SI messages. An SI message is sent to the phone to notify users of new services, service updates, and provisioning services.</br></br>Available roles are: **SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. |
+| SISL > ServiceLoadingRoles | Specify the security roles that can accept SL messages. Service Loading (SL) Message policy indicates whether SL messages are accepted by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the phone.</br></br>Available roles are: **SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. |
+
+## TrustedProvisioningSource
+
+In **PROVURL**, enter the URL for a Trusted Provisioning Server (TPS).
+
+## Related topics
+
+- [DMAcc configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/dmacc-csp)
+- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md
new file mode 100644
index 0000000000..4efec80320
--- /dev/null
+++ b/windows/configuration/wcd/wcd-dmclient.md
@@ -0,0 +1,27 @@
+---
+title: DMClient (Windows 10)
+description: This section describes the DMClient setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# DMClient (Windows Configuration Designer reference)
+
+Use to specify enterprise-specific mobile device management configuration setting.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| UpdateManagementServiceAddress | X  | X | X | X | X |
+
+For the **UpdateManagementServiceAddress** setting, enter a list of servers. The first server in the semi-colon delimited list is the server that will be used to instantiate MDM sessions. 
+
+## Related topics
+
+- [DMClient configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md
new file mode 100644
index 0000000000..cb2fd133b6
--- /dev/null
+++ b/windows/configuration/wcd/wcd-editionupgrade.md
@@ -0,0 +1,46 @@
+---
+title: EditionUpgrade (Windows 10)
+description: This section describes the EditionUpgrade settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# EditionUpgrade (Windows Configuration Designer reference)
+
+Use to upgrade the edition of Windows 10 on the device. [Learn about Windows 10 edition upgrades.](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-edition-upgrades)
+
+## Applies to
+
+| Setting  | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [ChangeProductKey](#changeproductkey) | X  | X |  | X |  |
+| [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | X  | X |  | X |  |
+| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | X  | X |  | X |  |
+
+
+## ChangeProductKey
+
+Enter a product key, which will be used to update the existing product key on the device. 
+
+## UpgradeEditionWithLicense
+
+Browse to and select a license XML file for the edition upgrade. 
+
+
+## UpgradeEditionWithProductKey
+
+Enter a product key for an edition upgrade of Windows 10 devices.
+
+If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and changepk.exe runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart.
+
+After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
+
+
+## Related topics
+
+- [WindowsLicensing configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/windowslicensing-csp)
diff --git a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
new file mode 100644
index 0000000000..833b66a43a
--- /dev/null
+++ b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
@@ -0,0 +1,29 @@
+---
+title: EmbeddedLockdownProfiles (Windows 10)
+description: This section describes the EmbeddedLockdownProfiles setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# EmbeddedLockdownProfiles (Windows Configuration Designer reference)
+
+Use to apply an XML configuration to a mobile device that locks down the device, configures custom layouts, and define multiple roles.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| AssignedAccessXml |   | X |  |  |  |
+
+1. Create a lockdown XML file, either by using [the Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) or [manually](../mobile-devices/lockdown-xml.md).
+2. In the **AssignedAccessXml** setting, browse to and select the lockdown XML file that you created.
+
+
+## Related topics
+
+- [EnterpriseAssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md
new file mode 100644
index 0000000000..5e394b2f6b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-firewallconfiguration.md
@@ -0,0 +1,27 @@
+---
+title: FirewallConfiguration (Windows 10)
+description: This section describes the FirewallConfiguration setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# FirewallConfiguration (Windows Configuration Designer reference)
+
+Use to enable AllJoyn router to work on public networks.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| EnableAllJoynOnPublicNetwork |   |  |  |  | X |
+
+Set to **True** or **False**.
+
+## Related topics
+
+- [AllJoyn](https://developer.microsoft.com/windows/iot/docs/alljoyn)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md
new file mode 100644
index 0000000000..b3a53776ff
--- /dev/null
+++ b/windows/configuration/wcd/wcd-firstexperience.md
@@ -0,0 +1,16 @@
+---
+title: FirstExperience (Windows 10)
+description: This section describes the FirstExperience settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# FirstExperience (Windows Configuration Designer reference)
+
+Do not configure **FirstExperience** in provisioning packages at this time. These settings will be available to configure the out-of-box experience (OOBE) to set up HoloLens in a future release. 
+
diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md
new file mode 100644
index 0000000000..bbad0c9cb9
--- /dev/null
+++ b/windows/configuration/wcd/wcd-folders.md
@@ -0,0 +1,23 @@
+---
+title: Folders (Windows 10)
+description: This section describes the Folders settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Folders (Windows Configuration Designer reference)
+
+Use to add files to the device.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| PublicDocuments | X  | X | X | X |  |
+
+Browse to and select a file or files that will be included in the provisioning package and added to the public profile documents folder on the target device. You can use the **Relative path to directory on target device** field to create a new folder within the public profile documents folder.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-initialsetup.md b/windows/configuration/wcd/wcd-initialsetup.md
new file mode 100644
index 0000000000..db5b9cee8b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-initialsetup.md
@@ -0,0 +1,30 @@
+---
+title: InitialSetup (Windows 10)
+description: This section describes the InitialSetup setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# InitialSetup (Windows Configuration Designer reference)
+
+Use to set the name of the Windows mobile device.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| DeviceName |   | X |  |  |  |
+
+In **DeviceName**, enter a name for the device. If **DeviceName** is set to an asterisk (*) or is an empty string, a random device name will be generated.
+
+**DeviceName** is a string with a maximum length of 15 bytes of content:
+
+- **DeviceName** can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.
+- **DeviceName** cannot use spaces or any of the following characters: { | } ~ [ \ ] ^ ' : ; < = > ? @ ! " # $ % ` ( ) + / . , * &, or contain any spaces.
+- **DeviceName** cannot use some non-standard characters, such as emoji.
+
diff --git a/windows/configuration/wcd/wcd-internetexplorer.md b/windows/configuration/wcd/wcd-internetexplorer.md
new file mode 100644
index 0000000000..d1a2e56c56
--- /dev/null
+++ b/windows/configuration/wcd/wcd-internetexplorer.md
@@ -0,0 +1,95 @@
+---
+title: InternetExplorer (Windows 10)
+description: This section describes the InternetExplorer settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# InternetExplorer (Windows Configuration Designer reference)
+
+Use to configure settings related to Internet Explorer.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [CustomHTTPHeaders](#customhttpheaders) |   | X |  |  |  |
+| [CustomUserAgentString](#customuseragentstring) |   | X |  |  |  |
+| DataSaving > [BrowseDataSaver](#browsedatasaver) |   | X |  |  |  |
+| DataSaving > [ShowPicturesAutomatically](#showpicturesautomatically) |   | X |  |  |  |
+| [FirstRunURL](#firstrunurl) |   | X |  |  |  |
+
+## CustomHTTPHeaders
+
+Configure Microsoft Edge to send custom HTTP headers. These will be sent in addition to the default HTTP headers with all HTTP and HTTPS requests. The header is the portion of the HTTP request that defines the form of the message.
+
+- A maximum of 16 custom headers can be defined.
+- Custom headers cannot be used to modify the user agent string.
+- Each header must be no more than 1 KB in length.
+
+The following header names are reserved and must not be overwritten:
+
+- Accept
+- Accept-Charset
+- Accept-Encoding
+- Authorization
+- Expect
+- Host
+- If-Match
+- If-Modified-Since
+- If-None-Match
+- If-Range
+- If-Unmodified-Since
+- Max-Forwards
+- Proxy-Authorization
+- Range
+- Referer
+- TE
+- USER-AGENT
+- X-WAP-PROFILE
+
+1. In **Available customizations**, select **CustomHTTPHeaders**, enter a name, and then click **Add**. 
+2. In **Available customizations**, select the name that you just created. 
+3. Enter the custom header.
+
+## CustomUserAgentString
+
+The user agent string indicates which browser you are using, its version number, and details about your system, such as operating system and version. A web server can use this information to provide content that is tailored for your specific browser and phone.
+
+The user agent string for the browser cannot be modified. By default, the string has the following format: 
+
+`Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; <Manufacturer>; <Device>) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Mobile Safari/537.36 Edge/12.10166` 
+
+- <Manufacturer> is automatically replaced with the OEM name. This is the same as the PhoneManufacturer setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
+- <Device> is replaced with the device name or phone name. This is the same as the PhoneModelName setting value that is set as part of the customization Phone metadata in DeviceTargetingInfo.
+
+
+**Limitations and restrictions:**
+
+- The user agent string for the browser cannot be modified outside of the customizations listed above.
+- The user agent type registry setting cannot be modified or used to change the default browser view from Mobile to Desktop.
+
+
+
+## BrowseDataSaver
+
+Use to set the browser data saver default setting. **True** turns on the browser data saver feature.
+
+Partners can configure the default setting for the browser data saver feature by turning the browser optimization service (through the BrowserDataSaver setting) on or off.
+
+
+## ShowPicturesAutomatically
+
+Use to enable or disable whether the **Show pictures automatically** setting is available in Internet Explorer **advanced settings**.
+
+
+## FirstRunURL
+
+Use to set the home page that appears the first time that Microsoft Edge is opened. This page is only shown the first time the browser is opened. After that, the browser displays either the most recently viewed page or an empty page if the user has closed all tabs or opens a new tab.
+
+Specify the **FirstRunURL** value with a valid link that starts with http://. It is recommended you use a forward link that redirects the user to a localized page.
diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md
new file mode 100644
index 0000000000..5b3ebb4f41
--- /dev/null
+++ b/windows/configuration/wcd/wcd-licensing.md
@@ -0,0 +1,30 @@
+---
+title: Licensing (Windows 10)
+description: This section describes the Licensing settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Licensing (Windows Configuration Designer reference)
+
+Use for settings related to Microsoft licensing programs. 
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | X  |  |  |  |  |
+| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | X  |  |  |  |  |
+
+## AllowWindowsEntitlementReactivation
+
+Enable or disable Windows license reactivation.
+
+## DisallowKMSClientOnlineAVSValidation
+
+Enable this setting to prevent the device from sending data to Microsoft regarding its activation state. 
diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md
new file mode 100644
index 0000000000..4a1bfc4a7a
--- /dev/null
+++ b/windows/configuration/wcd/wcd-maps.md
@@ -0,0 +1,48 @@
+---
+title: Maps (Windows 10)
+description: This section describes the Maps settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Maps (Windows Configuration Designer reference)
+
+Use for settings related to Maps. 
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [ChinaVariantWin10](#chinavariantwin10) | X  | X | X | X |  |
+| [UseExternalStorage](#useexternalstorage) | X  | X | X | X |  |
+| [UseSmallerCache](#usesmallercache) | X  | X | X | X |  |
+
+
+## ChinaVariantWin10
+
+Use **ChinaVariantWin10** to specify that the Windows device is intended to ship in China. When set to **True**, maps approved by the State Bureau of Surveying and Mapping in China are used, which are obtained from a server located in China.
+
+This customization may result in different maps, servers, or other configuration changes on the device.
+
+
+## UseExternalStorage
+
+Use to store map data on an SD card.
+
+Map data is used by the Maps application and the map control for third-party applications. This data can be store on an SD card, which provides the advantage of saving internal memory space for user data and allows the user to download more offline map data. Microsoft recommends enabling the **UseExternalStorage** setting on devices that have less than 8 GB of user storage and an SD card slot.
+
+You can use **UseExternalStorage** whether or not you include an SD card with preloaded map data on the phone. If set to **True**, the OS only allows the user to download offline maps when an SD card is present. If an SD card is not present, users can still view and cache maps, but they will not be able to download a region of offline maps until an SD card is inserted.
+
+If set to **False**, map data will always be stored on the internal data partition of the device.
+
+>[!NOTE]
+>SD card performance can affect the quality of the Maps experience when maps are stored on the SD card. When an SD card is used, Microsoft recommends that you test the Maps experience and the speed of map downloads with the specific SD card part that will be used on retail phones to determine if performance is satisfactory.
+
+## UseSmallerCache
+
+Do not use.
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
new file mode 100644
index 0000000000..a00378d147
--- /dev/null
+++ b/windows/configuration/wcd/wcd-messaging.md
@@ -0,0 +1,171 @@
+---
+title: Messaging (Windows 10)
+description: This section describes the Messaging settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Messaging (Windows Configuration Designer reference)
+
+Use for settings related to Messaging. 
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings |   | X |  |  |  |
+
+## GlobalSettings > ShowSendingStatus
+
+Set **ShowSendingStatus** to **True** to display the sending status for SMS/MMS messages.
+
+## PerSimSettings > _ICCID
+
+Use to configure settings for each subscriber identification module (SIM) card.
+
+### AllowSelectAllContacts
+
+Set to **True** to show the select all contacts/unselect all menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks.
+
+Windows 10 Mobile supports the following select multiple recipients features:
+
+- A multi-select chooser, which enables users to choose multiple contacts.
+- A **select all contacts/unselect all** menu option, which enables users to select or unselect all their contacts. This option is not shown by default and must be enabled by the OEM.
+
+### AllowSendingDeliveryReport
+
+Specify whether the phone automatically sends a receipt acknowledgment for MMS messages. Partners can specify whether the phone automatically sends a receipt acknowledgment for MMS messages when they arrive, and they can determine whether users can control the receipt acknowledgments by using the **Send MMS acknowledgment** toggle in **Messaging > settings**. By default, this user setting is visible and turned on.
+
+| Setting | Description |
+| --- | --- |
+| AllowSendingDeliveryReport | **True** sets the **Send MMS acknowledgment** toggle to **On** |
+| AllowSendingDeliveryReportIsSupported | **True** shows the **Send MMS acknowledgment** toggle, and **False** hides the toggle |
+
+### AutomaticallyDownload
+
+Specify whether MMS messages are automatically downloaded.
+
+| Setting | Description |
+| --- | --- |
+| AutomaticallyDownload | **True** sets the **Automatically download MMS** toggle to **On** |
+| ShowAutomaticallyDownloadMMSToggle | **True** shows the **Automatically download MMS** toggle, and **False** hides the toggle |
+
+### DefaultContentLocationUrl
+
+For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification.
+
+Set **DefaultContentLocationUrl** to specify the default GET path within the MMSC.
+
+### ErrorCodeEnabled
+
+You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem.
+
+Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
+
+
+### ImsiAuthenticationToken
+
+Configure whether MMS messages include the IMSI in the GET and POST header.
+
+Set **ImsiAuthenticationToken** to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
+
+### MaxRetryCount
+
+You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent.
+
+Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
+
+
+### RcsOptions
+
+Set options for Rich Communications Services (RCS). 
+
+| Setting | Description |
+| --- | --- |
+| RcsEnabled | Toggle to enable/disable RCS service. Set to **True** to enable. |
+| RcsFileTransferAutoAccept | Set to **True** to auto-accept RCS incoming file transfer if the file size is less than warning file size.|
+| RcsSendReadReceipt | Set to **True** to send read receipt to the sender when a message is read.  |
+| ShowRcsEnabled | Set to **True** to show the toggle for RCS activation.  |
+
+
+### RequestDeliveryReport
+
+Set options related to MMS message notifications. You can specify whether users receive notification that MMS messages could not be delivered, and determine whether users can control this by using the MMS delivery confirmation toggle in **Messaging > settings**. By default, this user setting is visible but turned off.
+
+| Setting | Description |
+| --- | --- |
+| RequestDeliveryReport | Set to **True** to set the default value to on.  |
+| RequestDeliveryReportIsSupported | **True** shows the toggle for MMS delivery confirmation, and **False** hides the toggle. |
+
+
+### TargetVideoFormat
+
+You can specify the transcoding to use for video files sent as attachments in MMS messages.
+
+Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:
+
+| Value | Description |
+| --- | --- |
+| 0 or 0x0 | Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS. |
+| 1 or 0x1 | Sets the transcoding to H.264 + AAC + 3GP. |
+| 2 or 0x2 | Sets the transcoding to H.263 + AMR.NB + 3GP. |
+| 3 or 0x3 | Sets the transcoding to MPEG4 + AMR.NB + 3GP. |
+ 
+
+### UAProf
+
+You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
+
+There are two ways to correlate a user agent profile with a given phone:
+- You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified.
+- Alternatively, you can directly set the URI of the user agent profile on the phone.
+
+Set **UAProf** to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
+
+
+### UAProfToken
+
+You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
+
+Optionally, in addition to specifying **UAProf**, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
+
+
+### UserAgentString
+
+Set **UserAgentString** to the new user agent string for MMS in its entirely.
+
+By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
+
+
+### w4
+
+| Setting | Description |
+| --- | --- |
+| ADDR | Specify the absolute MMSC URL. The possible values to configure the ADDR parameter are:</br></br>- A Uniform Resource Identifier (URI)</br>- An IPv4 address represented in decimal format with dots as delimiters</br>- A fully qualified Internet domain name |
+| APPID | Set to `w4`  |
+| MS | (optional) Specify the maximum size of MMS, in KB. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. |
+| NAME | (optional) Enter  user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. The possible values to configure the **NAME** parameter are:</br></br>- Character string containing the name</br>- no value specified</br></br>If no value is specified, the registry location will default to <unnamed>. If **NAME** is greater than 40 characters, it will be truncated to 40 characters. |
+| TONAPID | Specify the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/napdef-csp). |
+| TOPROXY | Specify one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy.  |
+
+
+
+### WapPushTechnology
+
+For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values.
+
+| Value | Description |
+| --- | --- |
+| 1 or 0x1 | Enables MMS messages to have some of their content truncated. |
+| 0 or 0x0 | Disables MMS messages from being truncated. |
+
+
+
+## Related topics
+
+- [w4 APPLICATION CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/w4-application-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-modemconfigurations.md b/windows/configuration/wcd/wcd-modemconfigurations.md
new file mode 100644
index 0000000000..dc45dff1ef
--- /dev/null
+++ b/windows/configuration/wcd/wcd-modemconfigurations.md
@@ -0,0 +1,22 @@
+---
+title: ModemConfiguration (Windows 10)
+description: This section describes the ModemConfiguration settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# ModemConfiguration (Windows Configuration Designer reference)
+
+Documentation not available at this time.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings |   | X |  |  |  |
+
diff --git a/windows/configuration/wcd/wcd-multivariant.md b/windows/configuration/wcd/wcd-multivariant.md
new file mode 100644
index 0000000000..37a5519dfd
--- /dev/null
+++ b/windows/configuration/wcd/wcd-multivariant.md
@@ -0,0 +1,23 @@
+---
+title: Multivariant (Windows 10)
+description: This section describes the Multivariant settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Multivariant (Windows Configuration Designer reference)
+
+Use to select a default profile for mobile devices that have multivariant configurations. 
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| DefaultProfile |   | X |  |  |  |
+
+If you will be adding [multivariant settings](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-multivariant) to your provisioning package,  you can use the **DefaultProfile** setting to specify which variant should be applied by default if OOBE is skipped. In the **DefaultProfile** field, enter the UINAME from your customizations.xml that you want to use as default.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md
new file mode 100644
index 0000000000..7eb31bc61c
--- /dev/null
+++ b/windows/configuration/wcd/wcd-networkproxy.md
@@ -0,0 +1,51 @@
+---
+title: NetworkProxy (Windows 10)
+description: This section describes the NetworkProxy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# NetworkProxy (Windows Configuration Designer reference)
+
+Use for settings related to NetworkProxy. 
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings |   |  | X |  |  |
+
+
+## AutoDetect
+
+Automatically detect network proxy settings. 
+
+|  Value | Description |
+| --- | --- |
+| 0 | Disabled. Do not automatically detect settings. |
+| 1 | Enabled. Automatically detect settings. |
+
+## ProxyServer
+
+Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections.
+
+| Setting | Description |
+| --- | --- |
+| ProxyAddress | Address to the proxy server. Specify an address in the format `server:port`. |
+| ProxyExceptions | Addresses that should not use the proxy server. The system will not use the proxy server for addresses that begin with the values specified in this node. Use semicolons (;) to separate entries. |
+| UseProxyForLocalAddresses | Whether the proxy server should be used for local (intranet) addresses.</br></br>- 0 = Disabled. Do not use the proxy server for local addresses.</br>- 1 = Enabled. Use the proxy server for local addresses.  |
+
+
+## SetupScriptUrl
+
+Address to the PAC script you want to use. 
+
+
+## Related topics
+
+- [NetworkProxy configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md
new file mode 100644
index 0000000000..5906d70cdd
--- /dev/null
+++ b/windows/configuration/wcd/wcd-networkqospolicy.md
@@ -0,0 +1,37 @@
+---
+title: NetworkQoSPolicy (Windows 10)
+description: This section describes the NetworkQoSPolicy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# NetworkQoSPolicy (Windows Configuration Designer reference)
+
+Use to create network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. 
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings |   |  | X |  |  |
+
+1. In **Available customizations**, select **NetworkQ0SPolicy**, enter a friendly name for the account, and then click **Add**.
+2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. 
+
+| Setting | Description |
+| --- | --- |
+| AppPathNameMatchCondition | Enter the name of an application to be sued to match the network traffic, such as application.exe or %ProgramFiles%\application.exe.  |
+| DestinationPortMatchCondition | Specify a port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number], or [port number]. |
+| DSCPAction | Enter the differentiated services code point (DSCP) value to apply to match with network traffic. Valid values are 0-63. |
+| IPProtocolMatchCondition | Select between **Both TCP and UDP**, **TCP**, and **UDP** to specify the IP protocol used to match the network traffic.   |
+| PriorityValue8021Action | Specify the IEEE 802.1p value. Valid values are 0 through 7. |
+| SourcePortMatchCondition | Specify a single port or range of ports. Valid values are [first port number]-[last port number], or [port number]. |
+
+## Related topics
+
+- [NetworkQoSPolicy configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-nfc.md b/windows/configuration/wcd/wcd-nfc.md
new file mode 100644
index 0000000000..c03217c87e
--- /dev/null
+++ b/windows/configuration/wcd/wcd-nfc.md
@@ -0,0 +1,29 @@
+---
+title: NFC (Windows 10)
+description: This section describes the NFC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# NFC (Windows Configuration Designer reference)
+
+Use to configure settings related to near field communications (NFC) subsystem.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings |   | X |  |  |  |
+
+Expand **NFC** > **SEMgr** > **UI**. The following table describes the settings you can configure.
+
+| Setting | Description |
+| --- | --- |
+| CardEmulationState | Configure the default state of **Tap to pay**. Select between **OFF**, **When Phone Unlocked**, **When Screen On**, and **Anytime**. |
+| DefaultFastCardSetting | Configure the default fast card usage for NFC payments. Select between **When Phone Unlocked**, **When Screen On**, and **Anytime**. |
+| HideFastCardsOption | Show or hide the fast cards options drop-down menu in the **NFC** > **Tap to pay** control panel. |
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
new file mode 100644
index 0000000000..7a72de6bb0
--- /dev/null
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -0,0 +1,47 @@
+---
+title: OOBE (Windows 10)
+description: This section describes the OOBE settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# OOBE (Windows Configuration Designer reference)
+
+Use to configure settings for the Out Of Box Experience (OOBE).
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Mobile > EnforceEnterpriseProvisioning](#nforce) |   | X |  |  |  |
+| [Mobile > HideOobe](#hidem) |   | X |  |  |  |
+| [Desktop > HideOobe](#hided) | X  |  |  |  |  |
+
+<span id="nforce" />
+## EnforceEnterpriseProvisioning
+
+When set to **True**, it forces the OOBE flow into using the enterprise provisioning page without making the user interact with the Windows button. This is the default setting.
+
+When set to **False**, it does not force the OOBE flow to the enterprise provisioning page.
+
+<span id="hidem" />
+## HideOobe for mobile
+
+When set to **True**, it hides the interactive OOBE flow for Windows 10 Mobile.
+
+When set to **False**, the OOBE screens are displayed.
+
+<span id="hided" />
+## HideOobe for desktop
+
+When set to **True**, it hides the interactive OOBE flow for Windows 10.
+
+>[!NOTE]
+>You must create a user account if you set the value to true or the device will not be usable.
+
+When set to **False**, the OOBE screens are displayed.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-otherassets.md b/windows/configuration/wcd/wcd-otherassets.md
new file mode 100644
index 0000000000..f5f33e19a2
--- /dev/null
+++ b/windows/configuration/wcd/wcd-otherassets.md
@@ -0,0 +1,27 @@
+---
+title: OtherAssets (Windows 10)
+description: This section describes the OtherAssets settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# OtherAssets (Windows Configuration Designer reference)
+
+Use to configure settings for Map data.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| MapData |   | X |  |  |  |
+
+Use **MapData** to specify the source directory location of the map region you want to include.
+
+For example, if C:\Path\Maps\Europe contains the downloaded map data that you want to preload, set the value to that directory. 
+
+To add additional maps, add a new MapData setting and set the source to the directory location of the map region you want to include.
diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md
new file mode 100644
index 0000000000..27f82ea825
--- /dev/null
+++ b/windows/configuration/wcd/wcd-personalization.md
@@ -0,0 +1,44 @@
+---
+title: Personalization (Windows 10)
+description: This section describes the Personalization settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Personalization (Windows Configuration Designer reference)
+
+Use to configure settings to personalize a PC.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [DeployDesktopImage](#deploydesktopimage) | X  |  |  |  |  |
+| [DeployLockScreenImage](#deploylockscreenimage) | X  |  |  |  |  |
+| [DesktopImageUrl](#desktopimageurl) | X  |  |  |  |  |
+| [LockScreenImageUrl](#lockscreenimageurl) | X  |  |  |  |  |
+
+## DeployDesktopImage
+
+Deploy a jpg, jpeg or png image to the device to be used as desktop image. If you have a local file and want to embed it into the package being deployed, you configure this setting and [DesktopImageUrl](#desktopimageurl).
+
+When using **DeployDesktopImage** and [DeployLockScreenImageFile](#deploylockscreenimage, the file names need to be different. 
+
+## DeployLockScreenImage
+
+Deploy a jpg, jpeg or png image to the device to be used as lock screen image. If you have a local file and want to embed it into the package being deployed, you configure this setting and [LockScreenImageUrl](#lockscreenimageurl).
+
+When using [DeployDesktopImage](#deploydesktopimage) and **DeployLockScreenImageFile**, the file names need to be different.
+
+## DesktopImageUrl
+
+Specify a jpg, jpeg or png image to be used as desktop image. This setting can take a http or https url to a remote image to be downloaded or a file url to a local image. If you have a local file and want to embed it into the package being deployed, you also set [DeployDesktopImage](#deploydesktopimage).
+
+## LockScreenImageUrl
+
+Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded or a file Url to an existing local image. If you have a local file and want to embed it into the package being deployed, you also set [DeployLockScreenImage](#deploylockscreenimage).
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
new file mode 100644
index 0000000000..72357237a0
--- /dev/null
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -0,0 +1,449 @@
+---
+title: Policies (Windows 10)
+description: This section describes the Policies settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Policies (Windows Configuration Designer reference)
+
+This section describes the **Policies** settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. Each setting below links to its supported values, as documented in the [Policy configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider).  
+
+## AboveLock
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowActionCenterNotifications](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications)  | Allow Action Center notifications above the device lock screen. |  | X |  |  |  |
+| [AllowToasts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#abovelock-allowtoasts)  | Allow toast notifications above the device lock screen.  | X  | X |   |   |  |
+
+## Accounts
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAddingNonMicrosoftAccountManually](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts  | X | X |  |  |  |
+| [AllowMicrosoftAccountConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services  | X | X |  |  |  |
+| [AllowMicrosoftAccountSigninAssistant](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | X | X |  |  |  |
+| [DomainNamesForEmailSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | X | X |  |  |  |
+
+
+## ApplicationDefaults
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [DefaultAssociationsConfiguration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations  | X |  |  |  |  |
+
+
+##ApplicationManagement
+
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Windows Store apps are allowed | X | X |  |  |  |
+| [AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate)  | Whether automatic update of apps from Windows Store is allowed  | X  | X |   |   |  |
+| [AllowDeveloperUnlock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock)  | Whether developer unlock of device is allowed  | X  | X | X  | X  | X |
+| [AllowGameDVR](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr)  |Whether DVR and broadcasting is allowed   | X  |  |   |   |  |
+| [AllowSharedUserAppData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata)  | Whether multiple users of the same app can share data  | X  | X |   |   |  |
+| [AllowStore](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowstore)  | Whether app store is allowed at device (?)  |   | X |   |   |  |
+| [ApplicationRestrictions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions)  | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc.  |   | x |   |   |  |
+| [RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume)  | Whether app data is restricted to the system drive  | X  | X |   |   |  |
+| [RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume)  | Whether the installation of apps is restricted to the system drive   | X  | X |   |   |  |
+
+
+
+
+## Authentication
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowFastReconnect](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | X | X | X | X | X |
+
+
+## BitLocker
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [EncryptionMethod](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod)  | Specify BitLocker drive encryption method and cipher strength | X | X |  |  |  |
+
+
+## Bluetooth
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAdvertising](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowadvertising)  | Whether the device can send out Bluetooth advertisements | X | X | X | X | X |
+| [AllowDiscoverableMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode)  | Whether other Bluetooth-enabled devices can discover the device  | X  | X |  X | X | X |
+| [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing)  | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device  | X  | X | X | X | X |
+| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename)  | Set the local Bluetooth device name  | X  | X | X | X | X |
+| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist)  | Set a list of allowable services and profiles  | X  | X |   |   |  |
+
+## Browser
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAddressBarDropdown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.  | X |  |  |  |  |
+| [AllowAutofill](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowautofill)  | Specify whether autofill on websites is allowed.  | X  | X | X  |   |  |
+| [AllowBrowser](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device. |  | X |  |  |  |
+| [AllowCookies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowcookies)  | Specify whether cookies are allowed.  | X  | X | X  |   |  |
+| [AllowDeveloperTools](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X |  |  |  |  |
+| [AllowDoNotTrack](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdonottrack)  | Specify whether Do Not Track headers are allowed.  | X  | X | X  |   |  |
+| [AllowExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | X |  |  |  |  |
+| [AllowFlash](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflash)  | Specify whether Adobe Flash can run in Microsoft Edge.  |  X |  |   |   |  |
+| [AllowFlashClickToRun](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X |  |  |  |  |
+| [AllowInPrivate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowinprivate)  | Specify whether InPrivate browsing is allowed on corporate networks.  | X  | X | X  |   |  |
+| [AllowMicrosoftCompatibilityList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X |  |  |
+| [AllowPasswordManager](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpasswordmanager)  | Specify whether saving and managing passwords locally on the device is allowed.  | X  | X | X  |   |  |
+| [AllowPopups](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X |  |  |  |  |
+| [AllowSearchEngineCustomization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization)  | Allow search engine customization for MDM-enrolled devices.  | X  |  |   |   |  |
+| [AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X |  |  |
+| [AllowSmartScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsmartscreen)  | Specify whether Windows Defender SmartScreen is allowed.  | X  | X | X  |   |  |
+| [ClearBrowsingDataOnExit](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X |  |  |  |  |
+| [ConfigureAdditionalSearchEngines](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines)  | Allows you to add up to 5 addtional search engines for MDM-enrolled devices.  | X  | X | X  |   |  |
+| [DisableLockdownOfStartPages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X |  |  |  |  |
+| [EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist)  | Allow the user to specify a URL of an enterprise site list.  | X  |  |   |   |  |
+| EnterpriseSiteListServiceUrl | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X |  |  |  |  |
+| [FirstRunURL](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-firstrunurl)  | Specify the URL that Microsoft Edge will use when it is opened for the first time.  |   | X |   |   |  |
+| [HomePages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X |  |  |  |  |
+| [PreventAccessToAboutFlagsInMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge)  | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features.  | X  | X | X  |   |  |
+| [PreventFirstRunPage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X |  |  |  |  |
+| [PreventLiveTileDataCollection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection)  | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.  | X  | X | X  |   |  |
+| [PreventSmartScreenPromptOverride](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride)  | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.  | X  | X | X  |   |  |
+| [PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X |  |  |
+| [PreventUsingLocalHostIPAddressForWebRTC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc)  | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol.  | X  | X | X  |   |  |
+| [SendIntranetTraffictoInternetExplorer ](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X |  |  |  |  |
+| [SetDefaultSearchEngine](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees.  | X  | X | X  |   |  |
+| [howMessageWhenOpeningSitesInInternetExplorer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X |  |  |  |  |
+| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge)  | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge.  | X  |  |   |   |  |
+
+
+## Camera
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowCamera](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X |  |  |
+
+
+## Connectivity
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowBluetooth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X |  |  |
+| [AllowCellularData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X |  |  |
+| [AllowCellularDataRoaming](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X |  |  |
+| [AllowConnectedDevices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X |  |  |
+| [AllowNFC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. |  | X |  |  |  |
+| [AllowUSBConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. |  | X |  |  |  |
+| [AllowVPNOverCellular](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |X | X | X |  |  |
+| [AllowVPNRoamingOverCellular](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | X | X | X |  |  |
+| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X |  |  |
+| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences.  | X | X | X |  |  |
+
+## Cryptography
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowFipsAlgorithmPolicy](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | X | X |  |  |  |
+| [TLSCiperSuites](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites)  | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.  | X  | X |   |   |  |
+
+## Defender
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowArchiveScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | X |  |  |  |  |
+| [AllowBehaviorMonitoring](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring)  | Allow or disallow Windows Defender Behavior Monitoring functionality.  |  X |  |   |   |  |
+| [AllowCloudProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | X |  |  |  |  |
+| [AllowEmailScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowemailscanning)  | Allow or disallow scanning of email.  |  X |  |   |   |  |
+| [AllowFullScanOnMappedNetworkDrives](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | X |  |  |  |  |
+| [AllowFullScanRemovableDriveScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning)  | Allow or disallow a full scan of removable drives.  |  X |  |   |   |  |
+| [AllowIntrusionPreventionSystem](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | X |  |  |  |  |
+| [AllowIOAVProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowioavprotection)  | Allow or disallow Windows Defender IOAVP Protection functionality.  |  X |  |   |   |  |
+| [AllowOnAccessProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | X |  |  |  |  |
+| [AllowRealtimeMonitoring](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring)  | Allow or disallow Windows Defender Realtime Monitoring functionality.  |  X |  |   |   |  |
+| [AllowScanningNetworkFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files.  | X |  |  |  |  |
+| [AllowScriptScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | X |  |  |  |  |
+| [AllowUserUIAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowuseruiaccess)  | Allow or disallow user access to the Windows Defender UI.  |  X |  |   |   |  |
+| [AvgCPULoadFactor](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | X |  |  |  |  |
+| [DaysToRetainCleanedMalware](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware)  | Specify time period (in days) that quarantine items will be stored on the system.  |  X |  |   |   |  |
+| [ExcludedExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | X |  |  |  |  |
+| [ExcludedPaths](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedpaths)  | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|.  |  X |  |   |   |  |
+| [ExcludedProcesses](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | X |  |  |  |  |
+| [RealTimeScanDirection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-realtimescandirection)  | Control which sets of files should be monitored.  |  X |  |   |   |  |
+| [ScanParameter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | X |  |  |  |  |
+| [ScheduleQuickScanTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulequickscantime)  | Specify the time of day that Windows Defender quick scan should run.  |  X |  |   |   |  |
+| [ScheduleScanDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | X |  |  |  |  |
+| [ScheduleScanTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulescantime)  | Select the time of day that the Windows Defender scan should run.  |  X |  |   |   |  |
+| [SignatureUpdateInterval](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | X |  |  |  |  |
+| [SubmitSamplesConsent](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | X |  |  |  |  |
+| [ThreatSeverityDefaultAction](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction)  | Specify any valid threat severity levels and the corresponding default action ID to take.  |  X |  |   |   |  |
+
+## DeliveryOptimization
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [DOAbsoluteMaxCacheSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | X |  |  |  |  |
+| [DOAllowVPNPeerCaching](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | X |  |  |  |  |
+| [DODownloadMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | X |  |  |  |  |
+| [DOGroupId](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | X |  |  |  |  |
+| [DOMaxCacheAge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | X |  |  |  |  |
+| [DOMaxCacheSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | X |  |  |  |  |
+| [DOMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | X |  |  |  |  |
+| [DOMaxUploadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization.  | X |  |  |  |  |
+| [DOMinBackgroundQos](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | X |  |  |  |  |
+| [DOMinBatteryPercentageAllowedToUpload](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | X |  |  |  |  |
+| [DOMinDiskSizeAllowedToPeer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | X |  |  |  |  |
+| [DOMinFileSizeToCache](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | X |  |  |  |  |
+| [DOMinRAMAllowedToPeer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | X |  |  |  |  |
+| [DOModifyCacheDrive](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | X |  |  |  |  |
+| [DOMonthlyUploadDataCap](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X |  |  |  |  |
+| [DOPercentageMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X |  |  |  |  |
+
+
+## DeviceLock
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowIdleReturnWithoutPassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. |  | X |  |  |  |
+| [AllowScreenTimeoutWhileLockedUserConfig](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. |  | X |  |  |  |
+| [AllowSimpleDevicePassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X |  |  |  |
+|[AlphanumericDevicePasswordRequired](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired)  | Select the type of PIN or password required.  | X | X |  |  |  |
+| [DevicePasswordEnabled](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X |  |  |  |
+| [DevicePasswordExpiration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X |  |  |  |
+| [DevicePasswordHistory](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X |  |  |  |
+| [MaxDevicePasswordFailedAttempts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X |  |  |  |
+| [MaxInactivityTimeDeviceLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked.  | X | X |  |  |  |
+| [MinDevicePasswordComplexCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X |  |  |  |
+| [MinDevicePasswordLength](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X |  |  |  |
+| [ScreenTimeoutWhileLocked](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. |  | X |  |  |  |
+
+
+## DeviceManagement
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | X |  |  |  |  |
+
+
+
+## Experience
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowCopyPaste](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. |  | X |  |  |  |
+| [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X |  |  |  |
+| [AllowDeviceDiscovery](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI.  | X | X |  |  |  |
+| [AllowFindMyDevice](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | X | X |  |  |  |
+| [AllowManualMDMUnenrollment](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account.  | X | X |  |  |  |
+| [AllowScreenCapture](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. |  | X |  |  |  |
+| [AllowSIMErrorDialogPromptWhenNoSIM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. |  | X |  |  |  |
+| [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X |  |  |  |  |
+| [AllowTailoredExperiencesWithDiagnosticData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X |  |  |  |  |
+| [AllowTaskSwitcher](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. |  | X |  |  |  |
+| [AllowThirdPartySuggestionsInWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X |  |  |  |  |
+| [AllowVoiceRecording](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. |  | X |  |  |  |
+| [AllowWindowsConsumerFeatures](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X |  |  |  |  |
+| [AllowWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once.  | X |  |  |  |  |
+| [AllowWindowsSpotlightOnActionCenter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X |  |  |  |  |
+| [AllowWindowsSpotlightWindowsWelcomeExperience](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X |  |  |  |  |
+| [AllowWindowsTips](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X |  |  |  |  |
+| [ConfigureWindowsSpotlightOnLockScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X |  |  |  |  |
+
+
+## Games
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAdvancedGamingServices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | X |  |  |  |  |
+
+
+## Location
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [EnableLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the the Location Service's Device Switch is enabled or disabled for the device. | X | X |  |  |  |
+
+
+## Privacy
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. |  | X |  |  |  |
+| [AllowInputPersonalization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X |  |  |  |
+
+
+## Search
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowIndexingEncryptedStoresOrItems](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | X | X |  |  |  |
+| [AllowSearchToUseLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X |  |  |  |
+| [AllowUsingDiacritics](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | X | X |  |  |  |
+| AllowWindowsIndexer | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.</br></br>- **Off** setting disables Windows indexer</br>- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)</br>- **Enterprise** setting reduces potential network loads for enterprises</br>- **Standard** setting is appropriate for consuemrs | X | X |  |  |  |
+| [AlwaysUseAutoLangDetection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | X | X |  |  |  |
+| [DisableBackoff](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | X | X |  |  |  |
+| [DisableRemovableDriveIndexing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | X | X |  |  |  |
+| [PreventIndexingLowDiskSpaceMB](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | X | X |  |  |  |
+| [PreventRemoteQueries](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | X | X |  |  |  |
+| [SafeSearchPermissions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. |  | X |  |  |  |
+
+
+
+## Security
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAddProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | X | X |
+| [AllowManualRootCertificateInstallation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. |  | X |  |  |  |
+| [AllowRemoveProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | X | X |
+| [AntiTheftMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. |  | X |  |  |  |
+| [RequireDeviceEncryption](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | X | X | X | X | X |
+| [RequireProvisioningPackageSignature](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | X | X |
+| [RequireRetrieveHealthCertificateOnBoot](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X |  |  |  |
+
+## Settings
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAutoPlay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. |  | X |  |  |  |
+| [AllowDataSense](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. |  | X |  |  |  |
+| [AllowVPN](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. |  | X |  |  |  |
+| [ConfigureTaskbarCalendar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X |  |  |  |  |
+
+## Start
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| AllowPinnedFolderDocuments | Control the visibility of the Documents shortcut on the Start menu. | X |  |  |  |  |
+| AllowPinnedFolderDownloads | Control the visibility of the Downloadds shortcut on the Start menu.  | X |  |  |  |  |
+| AllowPinnedFolderFileExplorer | Control the visibility of the File Explorer shortcut on the Start menu.  | X |  |  |  |  |
+| AllowPinnedFolderHomeGroup | Control the visibility of the Home Group shortcut on the Start menu.  | X |  |  |  |  |
+| AllowPinnedFolderMusic | Control the visibility of the Music shortcut on the Start menu.  | X |  |  |  |  |
+| AllowPinnedFolderNetwork | Control the visibility of the Network shortcut on the Start menu.  | X |  |  |  |  |
+| AllowPinnedFolderPersonalFolder | Control the visibility of the Personal Folder shortcut on the Start menu.  | X |  |  |  |  |
+| AllowPinnedFolderPictures | Control the visibility of the Pictures shortcut on the Start menu.  | X |  |  |  |  |
+| AllowPinnedFolderSettings | Control the visibility of the Settings shortcut on the Start menu.  | X |  |  |  |  |
+| AllowPinnedFolderVideos  |Control the visibility of the Videos shortcut on the Start menu.   | X |  |  |  |  |
+| [ForceStartSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X |  |  |  |  |
+| [HideAppList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X |  |  |  |  |
+| [HideChangeAccountSettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X |  |  |  |  |
+| [HideFrequentlyUsedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start.  | X |  |  |  |  |
+| [HideHibernate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X |  |  |  |  |
+| [HideLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X |  |  |  |  |
+| [HidePowerButton](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X |  |  |  |  |
+| [HideRecentJumplists](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X |  |  |  |  |
+| [HideRecentlyAddedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X |  |  |  |  |
+| [HideRestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | X |  |  |  |  |
+| [HideShutDown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button.  | X |  |  |  |  |
+| [HideSignOut](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | X |  |  |  |  |
+| [HideSleep](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | X |  |  |  |  |
+| [HideSwitchAccount](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | X |  |  |  |  |
+| [HideUserTile](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile)  |  Hide the user tile. | X |  |  |  |  |
+| [ImportEdgeAssets](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/windows/configuration/start-secondary-tiles).  | X |  |  |  |  |
+| [NoPinningToTaskbar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | X |  |  |  |  |
+| [StartLayout](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd) | X |  |  |  |  |
+
+## System
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowBuildPreview](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | X | X |  |  |  |
+| [AllowEmbeddedMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | X | X |
+| [AllowExperimentation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X |  |  |  |
+| [AllowLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X |
+| [AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | X | X |
+| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and useage telemetry data. | X | X |  |  |  |
+| [AllowUserToResetPhone](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X |  |  |  |
+| [DisableOneDriveFileSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X |  |  |  |  |
+
+
+## TextInput
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowIMELogging](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | X |  |  |  |  |
+| [AllowIMENetworkAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | X |  |  |  |  |
+| [AllowInputPanel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | X |  |  |  |  |
+| [AllowJapaneseIMESurrogatePairCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | X |  |  |  |  |
+| [AllowJapaneseIVSCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | X |  |  |  |  |
+| [AllJapaneseNonPublishingStandardGlyph](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | X |  |  |  |  |
+| [AllowJapaneseUserDictionary](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | X |  |  |  |  |
+| [AllowKeyboardTextSuggestions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | X |  |  |  |  |
+| [AllowLanguageFeaturesUninstall](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | X |  |  |  |  |
+| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver)  |  |  |  |  |  |
+| [ExcludeJapaneseIMEExceptISO208](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter.  | X |  |  |  |  |
+| [ExcludeJapaneseIMEExceptISO208andEUDC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter.  | X |  |  |  |  |
+| [ExcludeJapaneseIMEExceptShiftJIS](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | X |  |  |  |  |
+
+
+## TimeLanguageSettings
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowSet24HourClock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. |  | X |  |  |  |
+
+
+## Update
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X |
+| [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | X | X |
+| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X |
+| [AllowautoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
+| [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X |
+| [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | X | X |
+| [AllowUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. | X | X | X | X | X |
+| AutoRestartDeadlinePeriodInDays | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending.  | X | X | X | X | X |
+| [AutoRestartNotificationSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | X | X |
+| [AutoRestartRequiredNotificationDismissal](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed.  | X | X | X | X | X |
+| [BranchReadinessLevel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X |
+| [DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | X | X |
+| [DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | X | X |
+| [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X |
+| [EngagedRestartDeadline](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | X | X |
+| [EngagedRestartSnoozeSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | X | X |
+| [EngagedRestartTransitionSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | X | X |
+| [FillEmptyContentUrls](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | X | X |
+| PhoneUpdateRestrictions | Deprecated |  |  X  |  |  |  |
+| [RequireDeferUpgrade](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X |
+| [ScheduledInstallDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X |
+| [ScheduledInstallTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X |
+| [ScheduleImminentRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | X | X ||
+| [ScheduleRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | X | X |
+| [SetAutoRestartNotificationDisable](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | X | X |
+| [SetEDURestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | X | X |
+| [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update.  | X | X | X | X | X |
+| [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update.  | X | X | X | X | X |
+
+
+## WiFi
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowAutoConnectToWiFiSenseHotspots](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | X | X |  |  |  |
+| [AllowInternetSharing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X |  |  |  |
+| [AllowManualWiFiConfiguration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. |  | X |  |  |  |
+| [AllowWiFi](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. |  | X |  |  |  |
+| [WLANScanMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | X | X |
+
+## WindowsInkWorkspace
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowSuggestedAppsInWindowsInkWorkspace](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | X |  |  |  |  |
+| [AllowWindowsInkWorkspace](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | X |  |  |  |  |
+
+
+## WindowsLogon
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [HideFastUserSwitching](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | X |  |  |  |  |
+
+## WirelessDisplay
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowUserInputFromWirelessDisplayReceiver](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub.  | X | X |  |  |  |
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md
new file mode 100644
index 0000000000..5ed43d8d18
--- /dev/null
+++ b/windows/configuration/wcd/wcd-provisioningcommands.md
@@ -0,0 +1,27 @@
+---
+title: ProvisioningCommands (Windows 10)
+description: This section describes the ProvisioningCommands settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# ProvisioningCommands (Windows Configuration Designer reference)
+
+Use ProvisioningCommands settings to install Classic Windows apps using a provisioning package. 
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X  |  |  |  |  |
+
+For instructions on adding apps to provisioning packages, see [Provision PCs with apps](../provisioning-packages/provision-pcs-with-apps.md).
+
+
+
+
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
new file mode 100644
index 0000000000..d771bbee7b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -0,0 +1,61 @@
+---
+title: SharedPC (Windows 10)
+description: This section describes the SharedPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# SharedPC (Windows Configuration Designer reference)
+
+Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. 
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X  |  |  |  |  |
+
+## AccountManagement
+
+Use these settings to configure settings for accounts allowed on the shared PC.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| AccountModel  | - Only guest</br>- Domain-joined only</br>- Domain-joined and guest  | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. </br></br>- Only guest allows anyone to use the PC as a local standard (non-admin) account.</br>- Domain-joined only allows users to sign in with an Active Directory or Azure AD account.</br>- Domain-joined and guest allows users to sign in with an Active Directory, Azure AD, or local standard account.  |
+| DeletionPolicy  | - Delete immediately </br>- Delete at disk space threshold</br>- Delete at disk space threshold and inactive threshold | - Delete immediately will delete the account on sign-out.</br>- Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for DiskLevelDeletion, and it will stop deleting accounts when the available disk space reaches the threshold you set for DiskLevelCaching. Accounts are deleted in order of oldest accessed to most recently accessed.</br>- Delete at disk space threshold and inactive threshold will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by InactiveThreshold  |
+| DiskLevelCaching  | A number between 0 and 100  | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching.  |
+| DiskLevelDeletion  | A number between 0 and 100  | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion.  |
+| EnableAccountManager  | True or false  | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done.  |
+| InactiveThreshold  | Number  | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted.  |
+| KioskModeAUMID  | String  | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](https://msdn.microsoft.com/library/dn449300.aspx)  |
+| KioskModeUserTileDisplayText  | String  | Sets the display text on the kiosk account if **KioskModeAUMID** has been set.  |
+
+
+## EnableSharedPCMode
+
+Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings).
+
+Some of the remaining settings in SharedPC are optional, but we strongly recommend that you also set **EnableAccountManager** to **True**.
+
+## PolicyCustomization
+
+Use these settings to configure policies for shared PC mode.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| MaintenanceStartTime  | A number between 0 and 1440  | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value.  |
+| MaxPageFileSizeMB  | A number between 1024 and 2048  | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs.  |
+| RestrictLocalStorage  | True or false  | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings)  |
+| SetEduPolicies  | True or false  | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](https://docs.microsoft.com/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings)  |
+| SetPowerPolicies  | True or false  | When set as **True**:</br></br>- Prevents users from changing power settings</br>- Turns off hibernate</br>- Overrides all power state transitions to sleep (e.g. lid close)  |
+| SignInOnResume  | True or false  | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep.  |
+| SleepTimeout  | Number  | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies.  |
+
+## Related topics
+
+- [Set up shared or guest PC](../set-up-shared-or-guest-pc.md)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-shell.md b/windows/configuration/wcd/wcd-shell.md
new file mode 100644
index 0000000000..8d7ad0b7ff
--- /dev/null
+++ b/windows/configuration/wcd/wcd-shell.md
@@ -0,0 +1,23 @@
+---
+title: Shell (Windows 10)
+description: This section describes the Shell settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Shell (Windows Configuration Designer reference)
+
+Do not use. Use [Start > StartLayout](wcd-start.md#startlayout) 
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings |   | X |  |  |  |
+
+
diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md
new file mode 100644
index 0000000000..ce6de17758
--- /dev/null
+++ b/windows/configuration/wcd/wcd-smisettings.md
@@ -0,0 +1,107 @@
+---
+title: SMISettings (Windows 10)
+description: This section describes the SMISettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# SMISettings (Windows Configuration Designer reference)
+
+Use SMISettings settings to customize the device with custom shell, suppress Windows UI during boot and sign-in, and block or allow specific keys.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X  |  |  |  |  |
+
+## All settings in SMISettings
+
+The following table describes the settings in SMISettings. Some settings have additional details in sections after the table.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| AutoLogon | Enable</br>Domain name</br>Password</br>UserName | Allows automatic sign-in at startup so that the user does not need to enter a user name and password. |
+| BrandingNeutral | See [BrandingNeutral values](#brandingneutral-values)  | Specifies which UI elements display on the Welcome screen. |
+| CrashDumpEnabled | See [CrashDumpEnabled values](#crashdumpenabled-values)  | Specifies the type of information to be saved in the event of a crash. |
+| DisableBootMenu | True or false | Disables the F8 and F10 keys during startup to prevent access to the **Advanced Startup Options** menu. |
+| DisplayDisabled | True or false | Configures the device to display a blank screen when the OS encounters an error that it cannot recover from.  |
+| HideAllBootUI | True or false | Suppresses all Windows UI elements (logo, status indicator, and status message) during startup. |
+| HideAutologonUI | True or false | Hides the Welcome screen when automatic sign-in (AutoLogon) is enabled. |
+| HideBootLogo | True or false | Suppresses the default Windows logo that displays during the OS loading phase. |
+| HideBootStatusIndicator | True or false | Suppresses the status indicator that displays during the OS loading phase. |
+| HideBootStatusMessages | True or false | Suppresses the startup status text that displays during the OS loading phase. |
+| HideFirstLogonAnimation | True or false | Disable the animation during the first sign-in.  |
+| KeyboardFilter | See [KeyboardFilter settings](#keyboardfilter-settings) | Use these settings to configure devices to suppress key presses or key combinations. |
+| NoLockScreen | True or false | Disables the lock screen functionality and UI elements  |
+| ShellLauncher | See [ShellLauncher settings](#shelllauncher-settings) | Settings used to specify the application or executable to use as the default custom shell. |
+| UIVerbosityLevel | Suppress or do not suppress | Disables the Windows status messages during device startup, sign-in, and shut down. |
+
+## BrandingNeutral values
+
+The following table shows the possible values. You can combine these values using bitwise exclusive-OR logic to disable multiple Welcome screen UI elements.
+
+The default value is **17**, which disables all Welcome screen UI elements and the Switch user button.
+
+| Value | Description |
+| --- | --- |
+| 1 | Disables all Welcome screen UI elements |
+| 2 | Disables the Power button |
+| 4 | Disables the Language button |
+| 8 | Disables the Ease of access button |
+| 16 | Disables the Switch user button |
+| 32 | Disables the blocked shutdown resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any applications that are blocking system shut down. No UI is displayed and users are not given a chance to cancel the shutdown process. This can result in a loss of data if any open applications have unsaved data. |
+ 
+## CrashDumpEnabled values
+
+Contains an integer that specifies the type of information to capture in a dump (.dmp) file that is generated when the system stops unexpectedly.
+
+The .dmp file is typically saved in %SystemRoot% as Memory.dmp.
+
+Set CrashDumpEnabled to one of the following values:
+
+| Value | Description |
+| --- | --- |
+| 1 | Records all the contents of system memory. This dump file may contain data from processes that were running when the information was collected. |
+| 2 | Records only the kernel memory. This dump file includes only memory that is allocated to the kernel, kernel-mode drivers, and other kernel-mode programs. It does not include unallocated memory or any memory that is allocated to user-mode programs.</br></br>For most purposes, this kind of dump file is the most useful because it is significantly smaller than the complete memory dump file, but it contains information that is most likely to have been involved in the issue.</br></br>If a second problem occurs, the dump file is overwritten with new information. |
+| 3 | Records the smallest amount of useful information that may help identify why the device stopped unexpectedly. This type of dump file includes the following information:</br></br>- A list of loaded drivers</br></br>- The processor context (PRCB) for the processor that stopped</br></br>- The process information and kernel context (EPROCESS) for the process that stopped</br></br>- The process information and kernel context (ETHREAD) for the thread that stopped</br></br>- The kernel-mode call stack for the thread that stopped</br></br></br>This kind of dump file can be useful when space is limited. However, because of the limited information included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by analyzing this file.</br></br>The date is encoded in the file name. If a second problem occurs, the previous file is preserved and the new file is given a distinct name. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder. |
+| 4 | Records the smallest amount of useful information. This value produces the same results as entering a value of 3. |
+| 7 | Records only the kernel memory. This value produces the same results as entering a value of 2. This is the default value. |
+| Any other value | Disables crash dump and does not record anything. |
+ 
+## KeyboardFilter settings
+
+You can use KeyboardFilter to suppress undesirable key presses or key combinations. KeyboardFilter works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard. 
+
+When you **enable** KeyboardFilter, a number of other settings become available for configuration.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| CustomKeyFilters | Allow or block | Add your own key filters to meet any special requirements that you may have that are not included in the predefined key filters. </br></br>Enter a custom key combination in **CustomKeyFilter**, and then select it to allow or block it. The format to add custom filter combinations is "Alt+F9." This also appears as the CustomKey name, which is specified without "+". For more information, see [WEKF_CustomKey](https://docs.microsoft.com/windows-hardware/customize/enterprise/wekf-customkey). |
+| CustomScancodeFilters  | Allow or block | Blocks the list of custom scan codes. When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout.</br></br>Enter a custom scancode in **CustomScancodeFilter**, and then select it to allow or block it. For more information, see [WEKF_Scancode](https://docs.microsoft.com/windows-hardware/customize/enterprise/wekf-scancode). |
+| DisableKeyboardFilterForAdministrators  | True or false | Disables the keyboard filter for administrators. |
+| ForceOffAccessibility  | True or false | Disables all Ease of Access features and prevents users from enabling them.  |
+| PredefinedKeyFilters  | Allow or block | Specifies the list of predefined keys. For each key, the value will default to **Allow**. Specifying **Block** will suppress the key combination.  |
+
+[Learn more about using keyboard filters.](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter)
+
+## ShellLauncher settings
+
+Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Classic Windows application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications).
+
+You can also configure ShellLauncher to launch different shell applications for different users or user groups.
+
+>[!IMPORTANT]  
+>You may specify any executable file to be the default shell except C:\Windows\System32\Eshell.exe. Using Eshell.exe as the default shell will result in a blank screen after a user signs in.
+>
+>You cannot use ShellLauncher to launch a Windows app as a custom shell. However, you can use Windows 10 application launcher to launch a Windows app at startup.
+
+ShellLauncher processes the Run and RunOnce registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications or services. ShellLauncher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior does not meet your needs.
+
+>[!IMPORTANT]
+>A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights cannot. If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for ShellLauncher to launch the shell application.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
new file mode 100644
index 0000000000..25fcc57075
--- /dev/null
+++ b/windows/configuration/wcd/wcd-start.md
@@ -0,0 +1,35 @@
+---
+title: Start (Windows 10)
+description: This section describes the Start settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Start (Windows Configuration Designer reference)
+
+Use Start settings to apply a customized Start screen to devices.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| StartLayout | X  | X |  |  |  |
+| StartLayoutFilePath |   | X |  |  |  |
+
+>[!IMPORTANT]
+>The StartLayout setting is available in the advanced provisioning for Windows 10 desktop editions, but should only be used to apply a layout to Windows 10 Mobile devices. For desktop editions, use [Policies > StartLayout](wcd-policies.md#start).
+
+## StartLayout
+
+Use StartLayout to select the LayoutModification.xml file that applies a customized Start screen to a device.
+
+For more information, see [Start layout XML for mobile editions of Windows 10 ](../mobile-devices/lockdown-xml.md)).
+
+## StartLayoutFilePath
+
+Do not use.
diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md
new file mode 100644
index 0000000000..06c5b20b7a
--- /dev/null
+++ b/windows/configuration/wcd/wcd-startupapp.md
@@ -0,0 +1,23 @@
+---
+title: StartupApp (Windows 10)
+description: This section describes the StartupApp settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# StartupApp (Windows Configuration Designer reference)
+
+Use StartupApp settings to configure the default app that will run on start for Windows 10 IoT Core (IoT Core) devices.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| Default |  |  |  |  |  X |
+
+Enter the [Application User Model ID (AUMID)](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the default app. 
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
new file mode 100644
index 0000000000..6b0840c310
--- /dev/null
+++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
@@ -0,0 +1,22 @@
+---
+title: StartupBackgroundTasks (Windows 10)
+description: This section describes the StartupBackgroundTasks settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# StartupBackgroundTasks (Windows Configuration Designer reference)
+
+Documentation not available at this time.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings |  |  |  |  |  X |
+
diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md
new file mode 100644
index 0000000000..f2da4a2dd6
--- /dev/null
+++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md
@@ -0,0 +1,35 @@
+---
+title: SurfaceHubManagement (Windows 10)
+description: This section describes the SurfaceHubManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# SurfaceHubManagement (Windows Configuration Designer reference)
+
+Use SurfaceHubManagement settings to set the administrator group that will manage a Surface Hub that is joined to the domain.
+
+>[!IMPORTANT]
+>These settings should be used only in provisioning packages that are applied during OOBE.
+
+
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings |  |  | X |  |   |
+
+
+## GroupName
+
+Enter the group name for the administrators group in Active Directory.
+
+## GroupSid
+
+Enter the SID or the administrators group in Active Directory.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md
new file mode 100644
index 0000000000..a8d2ea900a
--- /dev/null
+++ b/windows/configuration/wcd/wcd-tabletmode.md
@@ -0,0 +1,29 @@
+---
+title: TabletMode (Windows 10)
+description: This section describes the TabletMode settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# TabletMode (Windows Configuration Designer reference)
+
+Use TabletMode to configure settings related to tablet mode.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X | X | X | X |  X |
+
+## ConvertibleSlateModePromptPreference
+
+Set the default for hardware-based prompts. 
+
+## SignInMode
+
+Specify whether users switch to table mode by default after signing in.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md
new file mode 100644
index 0000000000..75613f3b2e
--- /dev/null
+++ b/windows/configuration/wcd/wcd-takeatest.md
@@ -0,0 +1,48 @@
+---
+title: TakeATest (Windows 10)
+description: This section describes the TakeATest settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# TakeATest (Windows Configuration Designer reference)
+
+Use TakeATest to configure the Take A Test app, a secure browser for test-taking. Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. For more information, see [Take tests in Windows 10](https://docs.microsoft.com/education/windows/take-tests-in-windows-10).
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X |  |  |  |   |
+
+## AllowScreenMonitoring
+
+When set to True, students are able to record and take screen captures in the Take A Test app.
+
+## AllowTextSuggestions
+
+When set to True, students can see autofill suggestions from onscreen keyboards when typing in the Take A Test app.
+
+## LaunchURI
+
+Enter a link to an assessment that will be automatically loaded when the Take A Test app is opened.
+
+## RequirePrinting
+
+When set to True, students can print in the Take A Test app.
+
+## TesterAccount
+
+Enter the account to use when taking a test.
+
+To specify a domain account, enter **domain\user**. To specify an AAD account, enter **username@tenant.com**. To specify a local account, enter the username. 
+
+
+## Related topics
+
+- [SecureAssessment configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/secureassessment-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-theme.md b/windows/configuration/wcd/wcd-theme.md
new file mode 100644
index 0000000000..2d3e643f85
--- /dev/null
+++ b/windows/configuration/wcd/wcd-theme.md
@@ -0,0 +1,35 @@
+---
+title: Theme (Windows 10)
+description: This section describes the Theme settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Theme (reference)
+
+Use Theme to configure accent and background colors on Windows 10 Mobile.
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings |  | X |  |  |   |
+
+## DefaultAccentColor
+
+In the dropdown menu for DefaultAccentColor, select from the list of colors. The accent color is used for the background of the start tiles, some text, the progress indicator, the user’s My Phone web site, and so on.
+
+
+## DefaultBackgroundColor
+
+Select between **Light** and **Dark** for theme. 
+
+
+## Related topics
+
+- [Themes and accent colors](https://msdn.microsoft.com/library/windows/hardware/dn772323(v=vs.85).aspx)
diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md
new file mode 100644
index 0000000000..fe65f8413f
--- /dev/null
+++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md
@@ -0,0 +1,65 @@
+---
+title: UnifiedWriteFilter (Windows 10)
+description: This section describes the UnifiedWriteFilter settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# UnifiedWriteFilter (reference)
+
+
+Use UnifiedWriteFilter to configure settings for the Unified Write Filter (UWF) in your device to help protect your physical storage media, including most standard writable storage types that are supported by the OS, such as physical hard disks, solidate-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writeable volume.
+
+>[!IMPORTANT]
+>You cannot use UWF to protect external USB devices or flash drives.
+
+UWF intercepts all write attempts to a protected volume and redirects those write attempts to a virtual overlay. This improves the reliability and stability of your device and reduces the wear on write-sensitive media, such as flash memory media like solid-state drives.
+
+The overlay does not mirror the entire volume, but dynamically grows to keep track of redirected writes. Generally the overlay is stored in system memory, although you can cache a portion of the overlay on a physical volume. 
+
+>[!NOTE]  
+>UWF fully supports the NTFS system; however, during device startup, NTFS file system journal files can write to a protected volume before UWF has loaded and started protecting the volume. 
+
+[Learn more about the Unified Write Filter feature.](https://docs.microsoft.com/windows-hardware/customize/enterprise/unified-write-filter)
+
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | X |  |  |  |  X |
+
+## FilterEnabled
+
+Set to **True** to enable UWF.
+
+## OverlaySize
+
+Enter the maximum overlay size, in megabytes (MB), for the UWF overlay. The minimum value for maximum overlay size is 1024.
+
+>[!NOTE]
+>UnifiedWriteFilter must be enabled for this setting to work.
+
+## OverlayType
+
+OverlayType specifies where the overlay is stored. Select between **RAM** (default) and **Disk** (pre-allocated file on the system volume). 
+
+## RegistryExclusions
+
+You can add or remove registry entries that will be excluded from UWF filtering. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering and are written directly to the registry and persist after the device restarts.
+
+Use **Add** to add a registry entry to the exclusion list after you restart the device.
+
+Use **Remove** to remove a registry entry from the exclusion list after you restart the device.
+
+## Volumes
+
+Enter a drive letter for a volume to be protected by UWF. 
+
+>[!NOTE]
+>In the current OS release, Windows Configuration Designer contains a validation bug. To work around this issue, you must include a ":" after the drive letter when specifying the value for the setting. For example, if you are specifying the C drive, you must set DriveLetter to "C:" instead of just "C".
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
new file mode 100644
index 0000000000..6ba1b3993a
--- /dev/null
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -0,0 +1,79 @@
+---
+title: UniversalAppInstall (Windows 10)
+description: This section describes the UniversalAppInstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# UniversalAppInstall (reference)
+
+
+Use UniversalAppInstall settings to install Windows apps from the Microsoft Store or a hosted location. 
+
+>[!NOTE]
+>You can only use the Windows provisioning settings and provisioning packages for apps where you have the available installation files, namely with sideloaded apps that have an offline license. [Learn more about offline app distribution.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps)
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [DeviceContextApp](#devicecontextapp) | X |  | X |  |   |
+| [DeviceContextAppLicense](#devicecontextapplicense) | X |  | X |  |   |
+| [UserContextApp](#usercontextapp) | X | X | X | X | X  |
+| [UserContextAppLicense](#usercontextapplicense) | X | X | X | X | X  |
+
+## DeviceContextApp
+
+Enter an app package family name to install an app for all users of the device. You can use the [Get-AppxPackage cmdlet](https://technet.microsoft.com/itpro/powershell/windows/appx/get-appxpackage) to get the package family name for an installed app.
+
+>[!NOTE]
+>For XAP files, enter the product ID.
+
+For each app that you add to the package, configure the settings in the following table.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| ApplicationFile | .appx or .appxbundle  | Set the value to the app file that you want to install on the device. In addition, you must also enable the [AllowAllTrustedApps setting](wcd-policies.md#applicationmanagement) and add a root certificate or license file.  |
+| DependencyAppxFiles  | any required frameworks  | In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.   |
+| DeploymentOptions | - None</br>-Force application shutdown: If this package, or any package that depends on this package, is currently in use, the processes associated with the package are shut down forcibly so that registration can continue</br>- Development mode: do not use</br>- Install all resources: When you set ths option, the app is instructed to skip resource applicability checks.</br>- Force target application shutdown: If this package is currently in use, the processes associated with the package are shut down forcibly so that registration can continue  |  Select a deployment option.  |
+| LaunchAppAtLogin | - Do not launch app</br>- Launch app  | Set the value for app behavior when a user signs in.  |
+| OptionalPackageFiles | additional files required by the package  | Browse to, select, and add the optional package files.  |
+
+For more information on deployment options, see [DeploymentOptions Enum](https://docs.microsoft.com/uwp/api/windows.management.deployment.deploymentoptions).
+
+## DeviceContextAppLicense
+
+Use to specify the license file for the provisioned app. 
+
+1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. Here is an example, `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and click **Add**.
+
+2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
+
+
+## UserContextApp
+
+Use to add a new user context app.
+
+1. Specify a **PackageFamilyName** for the app, and then click **Add**.
+2. Select the PackageFamilyName in the Available Customizations pane, and then configure the following settings.
+
+Setting | Value | Description
+--- | --- | ---
+ApplicationFile | app file  | Browse to, select, and add the application file,
+DependencyAppxFiles | additional files required by the app  | Browse to, select, and add dependency files.
+DeploymentOptions | - None</br></br>- Force application shutdown</br></br>- Development mode</br></br>- Install all resources</br></br>- Force target application shutdown  | Select a deployment option.
+LaunchAppAtLogin | - Do not launch app</br></br>- Launch app  | Select whether the app should be started when a user signs in.
+
+
+## UserContextAppLicense
+
+Use to specify the license file for the user context app. 
+
+1. Specify a **LicenseProductId** for the app. You can find the license ID in the root header of the license file. Here is an example, `LicenseID="aaaaaaaa-dddd-8848-f8d0-7d6a93dfcccc"`. Enter it in the LicenseProductId field, and click **Add**.
+
+2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
new file mode 100644
index 0000000000..17bbc8f15b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -0,0 +1,40 @@
+---
+title: UniversalAppUninstall (Windows 10)
+description: This section describes the UniversalAppUninstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# UniversalAppUninstall (reference)
+
+
+Use UniversalAppUninstall settings to uninstall or remove Windows apps.
+
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [RemoveProvisionedApp](#removeprovisionedapp) | X |  |  |  |   |
+| [Uninstall](#uninstall) | X | X | X | X | X  |
+
+## RemoveProvisionedApp
+
+Universal apps can be *provisioned*, which means that they are available on the device for installation in user context. When a user runs the provisioned app, the app is then installed for that user. 
+
+Use **RemoveProvisionedApp** to remove app packages that are available on the device. Any instances of the app that have already been installed by a user are not uninstalled. To uninstall provisioned apps that have been installed by a user, use the [Uninstall](#uninstall) setting.
+
+1. Enter the PackageFamilyName for the app package, and then click **Add**.
+2. Select the PackageFamilyName in the Available Customizations pane, and then select **RemoveProvisionedApp**.
+
+## Uninstall
+
+Use **Uninstall** to remove provisioned apps that have been installed by a user.
+
+1. Enter the PackageFamilyName for the app package, and then click **Add**.
+2. Select the PackageFamilyName in the Available Customizations pane, and then select **Uninstall**.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
new file mode 100644
index 0000000000..7175b5e14b
--- /dev/null
+++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
@@ -0,0 +1,27 @@
+---
+title: UsbErrorsOEMOverride (Windows 10)
+description: This section describes the UsbErrorsOEMOverride settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# UsbErrorsOEMOverride (reference)
+
+
+Use UsbErrorsOEMOverride settings to .
+
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | X | X | X | X |   |
+
+## HideUsbErrorNotifyOptionUI
+
+
diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md
new file mode 100644
index 0000000000..f1316bc77a
--- /dev/null
+++ b/windows/configuration/wcd/wcd-weakcharger.md
@@ -0,0 +1,43 @@
+---
+title: WeakCharger (Windows 10)
+description: This section describes the WeakCharger settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# WeakCharger (reference)
+
+
+Use WeakCharger settings to configure the charger notification UI.
+
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | X | X | X | X |   |
+| [NotifyOnWeakCharger](#notifyonweakcharger) | X | X | X | X |   |
+
+
+## HideWeakChargerNotifyOptionUI
+
+This setting determines whether the user sees the dialog that's displayed when the user connects the device to an incompatible charging source. By default, the OS shows the weak charger notification option UI. 
+
+Select between **Show Weak Charger Notifications UI** and **Hide Weak Charger Notifications UI**.
+
+## NotifyOnWeakCharger
+
+This setting displays a warning when the user connects the device to an incompatible charging source. This warning is intended to notify users that their device may take longer to charge or may not charge at all with the current charging source.
+
+An incompatible charging source is one that does not behave like one of the following port types as defined by the USB Battery Charging Specification, Revision 1.2, available on the USB.org website:
+- Charging downstream port
+- Standard downstream port 
+- Dedicated charging port
+
+Select between **Disable Weak Charger Notifications UI** and **Enable Weak Charger Notifications UI**.
+
diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md
new file mode 100644
index 0000000000..b9ee438e22
--- /dev/null
+++ b/windows/configuration/wcd/wcd-windowsteamsettings.md
@@ -0,0 +1,103 @@
+---
+title: WindowsTeamSettings (Windows 10)
+description: This section describes the WindowsTeamSettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# WindowsTeamSettings (reference)
+
+
+Use WindowsTeamSettings settings to configure Surface Hub.
+
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings |  |  | X |  |   |
+
+## Connect
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| AutoLaunch  | True or false  | Open the Connect app automatically when someone projects.  |
+| Channel | - 1, 3, 4, 5, 6, 7, 8, 9, 10, 11 (works with all Miracast senders in all regions)</br>- 36, 40, 44, 48 (works with all 5ghz band Miracast senders in all regions)</br>- 149, 153, 157, 161, 165 (works with all 5ghz band Miracast senders in all regions except Japan) | Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. Integer specifying the channel. The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). |
+| Enabled | True or false  | Enables wireless projection to the device. |
+| PINRequired | True or false | Requires presenters to enter a PIN to connect wirelessly to the device. |
+
+## DeviceAccount
+
+A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. 
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| CalendarSyncEnabled  | True or false  | Specifies whether calendar sync and other Exchange Server services are enabled.  |
+| DomainName  | Domain of the device account when you are using Active Directory  | To use a device account from Active Directory, you should specify both **DomainName** and **UserName** for the device account.  |
+| Email  | Email address  | Email address of the device account.  |
+| ExchangeServer  | Exchange Server  | Normally, the device will try to automatically discover the Exchange server. This field is only required if automatic discovery fails.  |
+| Password  | Password  | Password for the device account.  |
+| PasswordRotationEnabled  | 0 = enabled</br>1 = disabled  | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Azure AD.  |
+| SipAddress  | Session Initiation Protocol (SIP) address   | Normally, the device will try to automatically discover the SIP. This field is only required if automatic discovery fails.  |
+| UserName  | User name  | Username of the device account when you are using Active Directory.  |
+| UserPrincipalName  | User principal name (UPN)  | To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.  |
+| ValidateAndCommit  | Any text | Validates the data provided and then commits the changes. This process occurs automatically after the other DeviceAccount settings are applied. The text you enter for the ValidateAndCommit setting doesn't matter. |
+
+
+## FriendlyName
+
+Enter the name that users will see when they want to project wirelessly to the device.
+
+## MaintenanceHours
+
+Maintenance hours are the period of time during which automatic maintenance tasks are performed.
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| Duration  | Duration in minutes. For example, to set a 3-hour duration, set this value to 180.  | The amount of time the device will be in maintenance, when the device will continue to download or install updates.  |
+| StartTime  | Start time in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120  | Start time for when device is allowed to start downloading and installing updates.  |
+
+## OMSAgent
+
+Configures the Operations Management Suite workspace. 
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| WorkspaceID  | GUID  | GUID identifying the Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent.  |
+| WorkspaceKey  | Key  | Primary key for authenticating with the workspace.  |
+
+## Properties
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| AllowAutoProxyAuth  | True or false  | Specifies if the Surface Hub can use the device account to authenticate into proxy servers requiring authentication.   |
+| AllowSessionResume  | True or false  | Specifies if users are allowed to resume their session after session timeout.   |
+| DefaultVolume  | Numeric value between 0 and 100  | Default speaker volume. Speaker volume will be set to this value at every session startup.  |
+| DisableSigninSuggestions  | True or false  | Specifies if the Surface Hub will not show suggestions when users try to sign in to see their meetings and files.   |
+| DoNotShowMyMeetingsAndFiles  | True or false  | Specifies if users can sign in and have full access to personal meetings and most recently used documents.  |
+| ScreenTimeout  | Select minutes from dropdown menu  | The time (in minutes) of inactivity after which the Surface Hub will turn off its screen.  |
+| SessionTimeout  | Select minutes from dropdown menu  | The time (in minutes) of inactivity after which the Surface Hub will time out the current session and return to the welcome screen.  |
+| SleepTimeout  | Select minutes from dropdown menu  | The time (in minutes) of inactivity after which the Surface Hub will go into a sleep state.  |
+
+## SkypeForBusiness
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| DomainName  | Domain name  | Specifies the domain name of the target server when the Skype for Business server is in a domain that's different from the device account.  |
+
+## Welcome
+
+| Setting | Value | Description |
+| --- | --- | --- |
+| AutoWakeScreen  | True or false  |  Specifies whether to automatically turn on the screen using motion sensors. |
+| CurrentBackgroundPath  | Https URL to a PNG file  | Background image for the welcome screen.   |
+| MeetingInfoOption  | 0 = organizer and time only</br>1 = organizer, time, and subject (subject is hidden for private meetings)  | Specifies whether meeting information is displayed on the welcome screen.   |
+
+## Related topics
+
+- [SurfaceHub configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/surfacehub-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md
new file mode 100644
index 0000000000..6b641db70f
--- /dev/null
+++ b/windows/configuration/wcd/wcd-wlan.md
@@ -0,0 +1,24 @@
+---
+title: WLAN (Windows 10)
+description: This section describes the WLAN settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# WLAN (reference)
+
+
+Do not use at this time. Instead, use [ConnectivityProfiles > WLAN](wcd-connectivityprofiles.md#wlan)
+
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings |  |  |  | X |   |
+
diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md
new file mode 100644
index 0000000000..901e30a048
--- /dev/null
+++ b/windows/configuration/wcd/wcd-workplace.md
@@ -0,0 +1,38 @@
+---
+title: Workplace (Windows 10)
+description: This section describes the Workplace settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Workplace (reference)
+
+
+Use Workplace settings to configure bulk user enrollment to a mobile device management (MDM) service. For more information, see [Bulk enrollment step-by-step](https://docs.microsoft.com/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool).
+
+## Applies to
+
+| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Enrollments](#enrollments) | X | X | X | X | X  |
+
+## Enrollments
+
+Select **Enrollments**, enter a UPN, and then click **Add** to configure the settings for the enrollment. The UPN is a unique identifier for enrollment. For bulk enrollment, this must a service account that is allowed to enroll multiple users. Example, "generic-device@contoso.com"
+
+| Settings | Value | Description |
+| --- | --- | --- |
+| AuthPolicy | - OnPremise</br>- Certificate  | The authentication policy used by the MDM service  |
+| DiscoveryServiceFullUrl | URL | The full URL for the discovery service |
+| EnrollmentServiceFullUrl | URL | The full URL for the enrollment service |
+| PolicyServiceFullUrl | URL | The full URL for the policy service |
+| Secret | - Password string for on-premise authentication enrollment</br>- Federated security token for federated enrollment</br>- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy  |
+
+## Related topics
+
+- [Provisioning configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/provisioning-csp)
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
new file mode 100644
index 0000000000..38f6061d9f
--- /dev/null
+++ b/windows/configuration/wcd/wcd.md
@@ -0,0 +1,77 @@
+---
+title: Windows Configuration Designer provisioning settings (Windows 10)
+description: This section describes the settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+ms.author: jdecker
+ms.date: 08/21/2017
+---
+
+# Windows Configuration Designer provisioning settings (reference)
+
+This section describes the settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. 
+
+## Edition that each group of settings applies to
+
+| Setting group | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [Accounts](wcd-accounts.md) | X | X | X | X | X |
+| [ADMXIngestion](wcd-admxingestion.md) | X | | | | |
+| [ApplicationManagement](wcd-applicationmanagement.md) | X | X | X | X | X |
+| [AssignedAccess](wcd-assignedaccess.md) | X | X | | X | |
+| [AutomaticTime](wcd-automatictime.md) | | X | | | |
+| [Browser](wcd-browser.md) | X | X | X | X |  |
+| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | X | | | |
+| [Cellular](wcd-cellular.md) | X |  |  |  |  |
+| [Certificates](wcd-certificates.md) | X | X | X | X | X |
+| [CleanPC](wcd-cleanpc.md) | X |  |  |  |  |
+| [Connections](wcd-connections.md) | X | X | X | X |  |
+| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | X |
+| [CountryAndRegion](wcd-countryandregion.md) | X | X | X | X |  |
+| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X |  |  |  |  |
+| [DeveloperSetup](wcd-developersetup.md) |  |  |  | X |  |
+| [DeviceFormFactor](wcd-deviceformfactor.md) |  X | X | X | X |  |
+| [DeviceManagement](wcd-devicemanagement.md) |  X | X | X | X |  |
+| [DMClient](wcd-dmclient.md) | X | X | X | X | X |
+| [EditionUpgrade](wcd-editionupgrade.md) | X | X | X | X |  |
+| [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) |  | X |  |  |  |
+| [FirewallConfiguration](wcd-firewallconfiguration.md) |  |  |  |  | X |
+| [FirstExperience](wcd-firstexperience.md) |  |  |  | X |  |
+| [Folders](wcd-folders.md) |X | X | X | X |  |
+| [InitialSetup](wcd-initialsetup.md) |  | X |  |  |  |
+| [InternetExplorer](wcd-internetexplorer.md) |  | X |  |  |  |
+| [Licensing](wcd-licensing.md) | X |  |  |  |  |
+| [Maps](wcd-maps.md) |X | X | X | X |  |
+| [Messaging](wcd-messaging.md) |  | X |  |  |  |
+| [ModemConfigurations](wcd-modemconfigurations.md) |  | X |  |  |  |
+| [Multivariant](wcd-multivariant.md) |  | X |  |  |  |
+| [NetworkProxy](wcd-networkproxy.md) |  |  | X |  |  |
+| [NetworkQOSPolicy](wcd-networkqospolicy.md) |  |  | X |  |  |
+| [NFC](wcd-nfc.md) |  | X |  |  |  |
+| [OOBE](wcd-oobe.md) | X | X |  |  |  |
+| [OtherAssets](wcd-otherassets.md) |  | X |  |  |  |
+| [Personalization](wcd-personalization.md) | X |  |  |  |  |
+| [Policies](wcd-policies.md) | X | X | X | X | X |
+| [ProvisioningCommands](wcd-provisioningcommands.md) | X |  |  |  |  |
+| [SharedPC](wcd-sharedpc.md) | X |  |  |  |  |
+| [Shell](wcd-shell.md) |  | X |  |  |  |
+| [SMISettings](wcd-smisettings.md) | X |  |  |  |  |
+| [Start](wcd-start.md) | X | X |  |  |  |
+| [StartupApp](wcd-startupapp.md) |  |  |  |  | X |
+| [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) |  |  |  |  | X |
+| [SurfaceHubManagement](wcd-surfacehubmanagement.md) |  |  |  X  |  |  |
+| [TabletMode](wcd-tabletmode.md) |X | X | X | X |  |
+| [TakeATest](wcd-takeatest.md) | X |  |  |  |  |
+| [Theme](wcd-theme.md) |  | X |  |  |  |
+| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X |  |  |  |  |
+| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | X | X |
+| [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | X | X |
+| [WeakCharger](wcd-weakcharger.md) |X | X | X | X |  |
+| [WindowsTeamSettings](wcd-windowsteamsettings.md) |  |  | X |  |  |
+| [WLAN](wcd-wlan.md) |  |  |  | X |  |
+| [Workplace](wcd-workplace.md) |X | X | X | X | X |
+
+
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index 5fc6d0a993..10de96a306 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage Windows 10 Start and taskbar layout
diff --git a/windows/configuration/windows-diagnostic-data.md b/windows/configuration/windows-diagnostic-data.md
index 88a4339635..611432abea 100644
--- a/windows/configuration/windows-diagnostic-data.md
+++ b/windows/configuration/windows-diagnostic-data.md
@@ -5,7 +5,7 @@ keywords: privacy,Windows 10
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index c68dd7afa0..f786f2f6ad 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure Windows Spotlight on the lock screen
@@ -67,8 +67,6 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo
 
  In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
 
->[!WARNING]
-> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release.
 
 ![lockscreen policy details](images/lockscreenpolicy.png)
 
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 26766b5852..b070057f1d 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -2,27 +2,18 @@
 
 ## [What's new in Windows 10 deployment](deploy-whats-new.md)
 ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
-## [Windows 10 Enterprise E3 in CSP overview](windows-10-enterprise-e3-overview.md)
+
+## [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md)
+### [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
+### [Configure VDA for Subscription Activation](vda-subscription-activation.md)
+### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md)
 ## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
 
 ## [Deploy Windows 10](deploy.md)
+### [Overview of Windows AutoPilot](windows-10-auto-pilot.md)
 ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
 ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
 
-
-### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
-#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
-#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
-#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
-##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
-#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
-##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
-##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
-##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
-##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
-##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
-#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
-
 ### [Windows 10 deployment test lab](windows-10-poc.md)
 #### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
 #### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
@@ -70,14 +61,12 @@
 
 #### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md)
 
-
-
-
 ### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
 #### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
 ##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
 ##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
 ##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+
 #### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
 #### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
 #### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
@@ -94,8 +83,6 @@
 ##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md)
 ##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md)
 
-
-
 ### [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
 #### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
 #### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -111,11 +98,9 @@
 #### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 #### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
 
+### [Windows 10 deployment tools](windows-10-deployment-tools.md)
 
-
-
-### [Windows 10 deployment tools](windows-10-deployment-tools-reference.md)
-
+#### [Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md)
 #### [Convert MBR partition to GPT](mbr-to-gpt.md)
 #### [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
 #### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
@@ -219,10 +204,7 @@
 ### [Overview of Windows as a service](update/waas-overview.md)
 ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
 ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
-### [Assign devices to servicing branches for Windows 10 updates](update/waas-servicing-branches-windows-10-updates.md)
-### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
-#### [Get started with Update Compliance](update/update-compliance-get-started.md)
-#### [Use Update Compliance](update/update-compliance-using.md)
+### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)
 ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
 #### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
 #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
@@ -239,10 +221,29 @@
 ### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
 #### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md)
 #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
+#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md)
+##### [Keep your current Windows 10 edition](update/olympia/enrollment-keep-current-edition.md)
+##### [Upgrade your Windows 10 edition from Pro to Enterprise](update/olympia/enrollment-upgrade-to-enterprise.md)
 ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
 
+## Windows Analytics
+### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
+#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
+#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
+#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
+##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
+#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
+##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
+##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
+##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
+##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
+##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
+#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
+### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
+#### [Get started with Update Compliance](update/update-compliance-get-started.md)
+#### [Use Update Compliance](update/update-compliance-using.md)
+### [Device Health](update/device-health-monitor.md)
+#### [Get started with Device Health](update/device-health-get-started.md)
+#### [Using Device Health](update/device-health-using.md)
 
-
-
-## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
-
+## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
\ No newline at end of file
diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md
new file mode 100644
index 0000000000..941c15911e
--- /dev/null
+++ b/windows/deployment/Windows-AutoPilot-EULA-note.md
@@ -0,0 +1,20 @@
+---
+title: Windows Autopilot EULA dismissal – important information
+description: A notice about EULA dismissal through Windows AutoPilot
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+ms.localizationpriority: high
+ms.author: mayam
+ms.date: 08/22/2017
+ROBOTS: noindex,nofollow
+---
+# Windows Autopilot EULA dismissal – important information
+
+>[!IMPORTANT]
+>The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
+
+Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.  
+
+By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms.  This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors.
\ No newline at end of file
diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md
new file mode 100644
index 0000000000..291aa15115
--- /dev/null
+++ b/windows/deployment/add-store-apps-to-image.md
@@ -0,0 +1,83 @@
+---
+title: Add Microsoft Store for Business applications to a Windows 10 image
+description: This topic describes how to add Microsoft Store for Business applications to a Windows 10 image.
+keywords: upgrade, update, windows, windows 10, deploy, store, image, wim
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: DaniHalfin
+ms.author: daniha
+ms.date: 07/07/2017
+---
+
+# Add Microsoft Store for Business applications to a Windows 10 image
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. This will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps.
+
+>[!IMPORTANT]
+>In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
+
+## Prerequisites
+
+* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
+
+* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/store-for-business/distribute-offline-apps#download-an-offline-licensed-app).
+
+* A Windows Image. For instructions on image creation, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) or [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+>[!NOTE]
+> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)**.
+
+## Adding a Store application to your image
+
+On a machine where your image file is accessible:
+1. Open Windows PowerShell with administrator privileges.
+2. Mount the image. At the Windows PowerShell prompt, type:
+`Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test`
+3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type:
+`Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml`
+
+>[!NOTE]
+>Paths and file names are examples. Use your paths and file names where appropriate.
+>
+>Do not dismount the image, as you will return to it later.
+
+## Editing the Start Layout
+
+In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
+
+On a test machine:
+1. **Install the Microsoft Store for Business application you previously added** to your image.
+2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**.
+3. Open Windows PowerShell with administrator privileges.
+4. Use `Export-StartLayout -path <path><file name>.xml` where *<path><file name>* is the path and name of the xml file your will later import into your Windows Image.
+5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image.
+
+Now, on the machine where your image file is accessible:
+1. Import the Start layout. At the Windows PowerShell prompt, type: 
+`Import-StartLayout -LayoutPath "<path><file name>.xml" -MountPath "C:\test\"`
+2. Save changes and dismount the image. At the Windows PowerShell prompt, type:
+`Dismount-WindowsImage -Path c:\test -Save`
+
+>[!NOTE]
+>Paths and file names are examples. Use your paths and file names where appropriate.
+>
+>For more information on Start customization see [Windows 10 Start Layout Customization](https://blogs.technet.microsoft.com/deploymentguys/2016/03/07/windows-10-start-layout-customization/)
+
+
+## Related topics
+* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
+* [Export-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/export-startlayout)
+* [Import-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/import-startlayout)
+* [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
+* [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+* [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)
+
+
diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md
index 7353568c47..3442d7e48a 100644
--- a/windows/deployment/change-history-for-deploy-windows-10.md
+++ b/windows/deployment/change-history-for-deploy-windows-10.md
@@ -12,6 +12,11 @@ ms.date: 06/28/2017
 # Change history for Deploy Windows 10
 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
 
+## July 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| The table of contents for deployment topics was reorganized.
+
 ## June 2017
 | New or changed topic | Description |
 |----------------------|-------------|
@@ -59,18 +64,18 @@ The topics in this library have been updated for Windows 10, version 1703 (also
 | [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New | 
 | [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New | 
 | [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | New | 
-| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package.md) | New (previously published in other topics) | 
-| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | New (previously published in other topics) | 
+| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) | New (previously published in Hardware Dev Center on MSDN) | 
+| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant) | New (previously published in Hardware Dev Center on MSDN) | 
+| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works) | New (previously published in Hardware Dev Center on MSDN) | 
+| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) | New (previously published in Hardware Dev Center on MSDN) |
+| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc) | New (previously published in Hardware Dev Center on MSDN) | 
+| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package) | New (previously published in Hardware Dev Center on MSDN) | 
+| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app) | New (previously published in Hardware Dev Center on MSDN) |
+| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line) | New (previously published in Hardware Dev Center on MSDN) |
 | [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog | 
-| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package.md) |
-| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package.md) |
+| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
+| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
 
 
 ## October 2016
@@ -130,5 +135,5 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 ## Related topics
 - [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment)
 - [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
-- [Change history for Access Protection](/windows/device-security/change-history-for-device-security)
-- [Change history for Access Protection](/windows/threat-protection/change-history-for-threat-protection)
+- [Change history for Device Security](/windows/device-security/change-history-for-device-security)
+- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
index f0830b38a4..fee340161a 100644
--- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
@@ -4,7 +4,7 @@ description: This topic describes how to configure a PXE server to load Windows
 keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
new file mode 100644
index 0000000000..a05a03bbe9
--- /dev/null
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -0,0 +1,199 @@
+---
+title: Deploy Windows 10 Enterprise licenses
+description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+ms.date: 08/23/2017
+author: greg-lindsay
+---
+
+# Deploy Windows 10 Enterprise licenses
+
+This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
+
+>Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
+>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
+
+Also in this article:
+- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
+- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them.
+
+## Active Directory synchronization with Azure AD
+
+You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
+
+You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
+
+**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
+
+![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png)
+
+**Figure 1. On-premises AD DS integrated with Azure AD**
+
+For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
+
+-   [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/)
+-   [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
+
+## Preparing for deployment: reviewing requirements
+
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
+
+## Assigning licenses to users
+
+Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
+
+![profile](images/al01.png)
+
+The following methods are available to assign licenses:
+
+1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
+2. You can sign in to portal.office.com and manually assign licenses:
+
+    ![portal](images/al02.png)
+
+3. You can assign licenses by uploading a spreadsheet.
+4. A per-user [PowerShell scripted method](http://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available.
+5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. 
+
+## Explore the upgrade experience
+
+Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1703 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices?
+
+### Step 1: Join users’ devices to Azure AD
+
+Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
+
+**To join a device to Azure AD the first time the device is started**
+
+1.  During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
+
+    <img src="images/enterprise-e3-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
+    
+    **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
+
+2.  On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
+
+    <img src="images/enterprise-e3-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
+    
+    **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
+
+3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
+
+    <img src="images/enterprise-e3-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
+    
+    **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
+
+Now the device is Azure AD joined to the company’s subscription.
+
+**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
+
+>[!IMPORTANT]
+>Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
+
+1.  Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 5**.
+
+    <img src="images/enterprise-e3-connect-to-work-or-school.png" alt="Connect to work or school configuration" width="624" height="482" />
+    
+    **Figure 5. Connect to work or school configuration in Settings**
+
+2.  In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
+
+    <img src="images/enterprise-e3-set-up-work-or-school.png" alt="Set up a work or school account" width="624" height="603" />
+    
+    **Figure 6. Set up a work or school account**
+
+3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
+
+    <img src="images/enterprise-e3-lets-get-2.png" alt="Let's get you signed in - dialog box" width="624" height="603" />
+    
+    **Figure 7. The “Let’s get you signed in” dialog box**
+
+Now the device is Azure AD joined to the company’s subscription.
+
+### Step 2: Sign in using Azure AD account
+
+Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
+
+<img src="images/enterprise-e3-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
+
+**Figure 8. Sign in by using Azure AD account**
+
+### Step 3: Verify that Enterprise edition is enabled
+
+You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 9**.
+
+<span id="win-10-activated-subscription-active"/>
+<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt="Windows 10 activated and subscription active" width="624" height="407" />
+
+<BR>**Figure 9 - Windows 10 Enterprise subscription in Settings** <BR>
+
+
+If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
+
+## Virtual Desktop Access (VDA)
+
+Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+
+Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
+
+## Troubleshoot the user experience
+
+In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
+
+- The existing Windows 10 Pro, version 1703 operating system is not activated.
+
+- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
+
+Use the following figures to help you troubleshoot when users experience these common problems:
+
+- [Figure 9](#win-10-activated-subscription-active) (above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
+
+- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.
+
+- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
+
+- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.
+
+<BR>
+
+<span id="win-10-not-activated"/>
+<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt="Windows 10 not activated and subscription active" width="624" height="407" />
+<BR>**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings**<BR>
+
+<BR>
+
+<span id="subscription-not-active"/>
+<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt="Windows 10 activated and subscription not active" width="624" height="407" />
+<BR>**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings**<BR>
+
+<BR>
+
+<span id="win-10-not-activated-subscription-not-active"/>
+<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt="Windows 10 not activated and subscription not active" width="624" height="407" />
+<BR>**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings**<BR>
+
+
+### Review requirements on devices
+
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
+
+**To determine if a device is Azure Active Directory joined:**
+
+1.  Open a command prompt and type **dsregcmd /status**.
+
+2.  Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
+
+**To determine the version of Windows 10:**
+
+-   At a command prompt, type:
+    **winver**
+
+    A popup window will display the Windows 10 version number and detailed OS build information.
+
+    If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
+
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index e872024dd2..e11c92867c 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -3,10 +3,11 @@ title: What's new in Windows 10 deployment
 description: Changes and new features related to Windows 10 deployment
 keywords: deployment, automate, tools, configure, news
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 
@@ -26,13 +27,21 @@ This topic provides an overview of new solutions and online content related to d
 
 ## Windows 10 Enterprise upgrade
 
+Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md).
+
 Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
 
-For more information, see [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
+For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
 
 
 ## Deployment solutions and tools
 
+### Windows AutoPilot
+
+Windows AutoPilot streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows AutoPilot to reset, repurpose and recover devices.
+
+Windows AutoPilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows AutoPilot](windows-10-auto-pilot.md).
+
 ### Upgrade Readiness
 
 The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. 
@@ -55,6 +64,9 @@ Update Compliance is a solution built using OMS Logs and Analytics that provides
 
 For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md).
 
+### Device Health
+
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes.  Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](update/device-health-monitor.md)
 
 ### MBR2GPT
 
diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
index 7fbd9c8386..b5a1920b19 100644
--- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
 keywords: settings, database, deploy
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index c253293a7e..af480bfc6a 100644
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -5,7 +5,7 @@ ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
 keywords: replication, replicate, deploy, configure, remote
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
index bfcbdd5e6b..ba27f0da53 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
@@ -5,7 +5,7 @@ ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b
 keywords: rules, configuration, automate, deploy
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
index c168bda59d..726a04ca82 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
@@ -5,7 +5,7 @@ ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
 keywords: rules, script
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index b01d3341c6..1646c5ed79 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -5,7 +5,7 @@ ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
 keywords: customize, customization, deploy, features, tools
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 123fe228b3..34503a310e 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
 keywords: deploy, upgrade, task sequence, install
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.pagetype: mdt
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 128b74d5b1..e5e8d59bf7 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -5,7 +5,7 @@ ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa
 keywords: deploy, deployment, configure, customize, install, installation
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
@@ -329,7 +329,7 @@ The steps below walk you through the process of editing the Windows 10 referenc
          
     5.  State Restore / Custom Tasks (Pre-Windows Update). Add a new Install Roles and Features action with the following settings:
         1.  Name: Install - Microsoft NET Framework 3.5.1
-        2.  Select the operating system for which roles are to be installed: Windows 8.1
+        2.  Select the operating system for which roles are to be installed: Windows 10
         3.  Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
         
         **Important**  
@@ -471,7 +471,7 @@ In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except
 
 ### Update the deployment share
 
-After the deployment share has been configured, it needs to be updated. This is the process when the Windows Windows PE boot images are created.
+After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created.
 
 1.  Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**.
 2.  Use the default options for the Update Deployment Share Wizard.
@@ -566,7 +566,7 @@ SkipFinalSummary=YES
     The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
      
 -   **JoinWorkgroup.** Configures Windows to join a workgroup.
--   **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 8.1 deployments in which the deployment wizard will otherwise appear behind the tiles.
+-   **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
 -   **FinishAction.** Instructs MDT what to do when the task sequence is complete.
 -   **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image.
 -   **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 7249255dfd..f98e4c4744 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
 keywords: deployment, automate, tools, configure
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
index def335f1b1..ea7feeecfa 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -5,7 +5,7 @@ ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
 keywords: deploy, tools, configure, script
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ms.pagetype: mdt
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index b27fa998b0..a954a1ef62 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -5,7 +5,7 @@ ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
 keywords: deploy, image, feature, install, tools
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
index 859c8043e2..84f0f4a09e 100644
--- a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
 ms.pagetype: mdt
 keywords: deploy, image, customize, task sequence
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
index b7b5b506bc..7cef6c1c1c 100644
--- a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
 keywords: deploy, feature, tools, upgrade, migrate, provisioning
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
index f4e26d87e0..c681e75dfc 100644
--- a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
+++ b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
@@ -5,7 +5,7 @@ ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
 keywords: deploy, install, deployment, boot, log, monitor
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index 31098f8dce..7aa852d395 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
 keywords: deploy, system requirements
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index b2f30e6e6d..f142ee7e3f 100644
--- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -5,7 +5,7 @@ ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
 keywords: reinstallation, customize, template, script, restore
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index aeae4e9b05..88573ebf1d 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -5,7 +5,7 @@ ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a
 keywords: deploy, deployment, replace
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 48879c632c..9f0765935d 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -5,7 +5,7 @@ description:
 keywords: disk, encryption, TPM, configure, secure, script
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
index 815df1eb56..aa93bb9261 100644
--- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -5,7 +5,7 @@ ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c
 keywords: deploy, script
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
index 7b7aedc7f7..8b4ca7e777 100644
--- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
 keywords: web services, database
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 8c3f5e61f8..7a24e08ad7 100644
--- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -6,7 +6,7 @@ ms.pagetype: mdt
 keywords: database, permissions, settings, configure, deploy
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
index 73848f2618..3dea162597 100644
--- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
 keywords: deploy, web apps
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.pagetype: mdt
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index e98fea9e6f..35bf254314 100644
--- a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
 keywords: image, deploy, distribute
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 275852e418..c7900eb237 100644
--- a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -4,7 +4,7 @@ description: In this topic, you will learn how to configure the Windows Preinsta
 ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
 keywords: deploy, task sequence
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 8bc4b7fb7e..162a079354 100644
--- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
 keywords: tool, customize, deploy, boot image
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 2ecea45145..ad81044f04 100644
--- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -4,7 +4,7 @@ description: Microsoft System Center 2012 R2 Configuration Manager supports depl
 ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
 keywords: deployment, task sequence, custom, customize
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
index bfbb8af872..16a4af055b 100644
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
 keywords: deployment, image, UEFI, task sequence
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
index 95c5db41d0..dd501cd667 100644
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -4,7 +4,7 @@ description: If you have Microsoft System Center 2012 R2 Configuration Manager
 ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
 keywords: deployment, custom, boot
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index d7f678277e..52181700d5 100644
--- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -4,7 +4,7 @@ description: This topic walks you through the steps to finalize the configuratio
 ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
 keywords: configure, deploy, upgrade
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
index 770ff5a251..efc87d2fab 100644
--- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
 keywords: deploy, upgrade
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 2b6360a89e..f005cca535 100644
--- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -4,7 +4,7 @@ description: This topic will walk you through the process of integrating Microso
 ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
 keywords: install, configure, deploy, deployment
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index e872322669..1bd55885aa 100644
--- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
 keywords: upgrade, install, installation, computer refresh
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 4ff7b936bf..d77f096553 100644
--- a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
 keywords: upgrade, install, installation, replace computer, setup
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index 429f29de1a..d493765134 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -5,7 +5,8 @@ ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 author: greg-lindsay
 ---
 
diff --git a/windows/deployment/images/al01.png b/windows/deployment/images/al01.png
new file mode 100644
index 0000000000..b779b59ac9
Binary files /dev/null and b/windows/deployment/images/al01.png differ
diff --git a/windows/deployment/images/al02.png b/windows/deployment/images/al02.png
new file mode 100644
index 0000000000..6d2216a377
Binary files /dev/null and b/windows/deployment/images/al02.png differ
diff --git a/windows/deployment/images/ua-step2-blades.png b/windows/deployment/images/ua-step2-blades.png
new file mode 100644
index 0000000000..c86f7a4338
Binary files /dev/null and b/windows/deployment/images/ua-step2-blades.png differ
diff --git a/windows/deployment/images/ua-step2-low-risk.png b/windows/deployment/images/ua-step2-low-risk.png
new file mode 100644
index 0000000000..6e9daf0233
Binary files /dev/null and b/windows/deployment/images/ua-step2-low-risk.png differ
diff --git a/windows/deployment/index.md b/windows/deployment/index.md
index 1705124e4a..6841274b4c 100644
--- a/windows/deployment/index.md
+++ b/windows/deployment/index.md
@@ -5,7 +5,8 @@ ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 author: greg-lindsay
 ---
 
@@ -17,8 +18,8 @@ Learn about deployment in Windows 10 for IT professionals. This includes deploy
 |------|------------|
 |[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
 |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
-|[Windows 10 Enterprise E3 in CSP overview](deploy-whats-new.md) |Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. |
-|[Resolve Windows 10 upgrade errors](windows-10-enterprise-e3-overview.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
+|[Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) |Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). |
+|[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
 
 
 ## Deploy Windows 10
@@ -27,6 +28,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
 
 |Topic |Description |
 |------|------------|
+|[Overview of Windows AutoPilot](windows-10-auto-pilot.md) |Windows AutoPilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. |
 |[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
 |[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
 |[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 1cc9702d45..f828bce6a8 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -7,7 +7,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-localizationpriority: high
+ms.date: 09/05/2017
+ms.localizationpriority: high
 ---
 
 # MBR2GPT.EXE
@@ -17,28 +18,41 @@ localizationpriority: high
 
 ## Summary
 
-**MBR2GPT.EXE** converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. 
 
-MBR2GPT.EXE is located in the **Windows\\System32** directory on a Windows 10 computer running Windows 10 version 1703 or later.
+See the following video for a detailed description and demonstration of MBR2GPT.
 
-You can use MBR2GPT to perform the following:
+<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/hfJep4hmg9o" frameborder="0" allowfullscreen></iframe>
 
-- \[Within the Windows PE environment\]: Convert any attached MBR-formatted system disk to the GPT partition format.
-- \[From within the currently running OS\]: Convert any attached MBR-formatted system disk to the GPT partition format.
-
->MBR2GPT is available in Windows 10 version 1703, also known as Windows 10 Creator's Update, and later versions. 
+>MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later.
 >The tool is available in both the full OS environment and Windows PE. 
 
-You can use MBR2GPT to convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them.
+You can use MBR2GPT to: 
 
-The MBR2GPT tool can convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
+- Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT.
+- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them.
+- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
 
 Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
 
 >[!IMPORTANT]
 >After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode. <BR>Make sure that your device supports UEFI before attempting to convert the disk.
 
-<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/hfJep4hmg9o" frameborder="0" allowfullscreen></iframe>
+## Prerequisites
+
+Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that:
+- The disk is currently using MBR
+- There is enough space not occupied by partitions to store the primary and secondary GPTs:
+  - 16KB + 2 sectors at the front of the disk
+  - 16KB + 1 sector at the end of the disk
+- There are at most 3 primary partitions in the MBR partition table
+- One of the partitions is set as active and is the system partition
+- The disk does not have any extended/logical partition
+- The BCD store on the system partition contains a default OS entry pointing to an OS partition
+- The volume IDs can be retrieved for each volume which has a drive letter assigned
+- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
+
+If any of these checks fails, the conversion will not proceed and an error will be returned.
 
 ## Syntax
 
@@ -217,22 +231,6 @@ The following steps illustrate high-level phases of the MBR-to-GPT conversion pr
 5. The boot configuration data (BCD) store is updated.
 6. Drive letter assignments are restored.
 
-### Disk validation
-
-Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that:
-- The disk is currently using MBR
-- There is enough space not occupied by partitions to store the primary and secondary GPTs:
-  - 16KB + 2 sectors at the front of the disk
-  - 16KB + 1 sector at the end of the disk
-- There are at most 3 primary partitions in the MBR partition table
-- One of the partitions is set as active and is the system partition
-- The disk does not have any extended/logical partition
-- The BCD store on the system partition contains a default OS entry pointing to an OS partition
-- The volume IDs can be retrieved for each volume which has a drive letter assigned
-- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
-
-If any of these checks fails, the conversion will not proceed and an error will be returned.
-
 ### Creating an EFI system partition
 
 For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules:
diff --git a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
index ec9afa1603..a86caa380f 100644
--- a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
+++ b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
@@ -75,7 +75,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 ## Related topics
 
 
-[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10.md)
+[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10)
 
 [Change history for Deploy Windows 10](../change-history-for-deploy-windows-10.md)
 
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index 2448b16d8b..dc4c8029ca 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -6,7 +6,7 @@ keywords: deploy, upgrade, update, configure
 ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: TrudyHa
 ---
 
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index 2ce0b1abdd..9768a7c1f6 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -6,7 +6,7 @@ keywords: deploy, upgrade, update, appcompat
 ms.prod: w10
 ms.mktglfcycl: plan
 ms.pagetype: appcompat
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 9ddd7ab954..a9cee6bc13 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -4,7 +4,7 @@ description: There are new deployment options in Windows 10 that help you simpl
 ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE
 keywords: deploy, upgrade, update, in-place
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: plan
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index 60a48fef2f..ac8ae9af63 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -1,10 +1,10 @@
 ---
 title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
 description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
-keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing branches, deployment tools
+keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing channels, deployment tools
 ms.prod: w10
 ms.mktglfcycl: plan
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: 
 ---
@@ -80,9 +80,9 @@ The Windows 10 operating system introduces a new way to build, deploy, and servi
 
 Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
 
-### What are the servicing branches?
+### What are the servicing channels?
 
-To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each branch, see [servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches).
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
 
 ### What tools can I use to manage Windows as a service updates?
 
@@ -92,13 +92,13 @@ There are many tools are available. You can choose from these:
 - Windows Server Update Services
 - System Center Configuration Manager
 
-For more information on pros and cons for these tools, see [Servicing Tools](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches).
+For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools).
 
 ## User experience
 
 ### Where can I find information about new features and changes in Windows 10 Enterprise?
 
-For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library. 
+For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. 
 
 Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. 
 
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index f886d6391f..a99af27a4e 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -5,7 +5,7 @@ ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64
 keywords: deploy, upgrade, update, hardware
 ms.prod: w10
 ms.mktglfcycl: plan
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md
index 3af0220b18..8051af1421 100644
--- a/windows/deployment/update/change-history-for-update-windows-10.md
+++ b/windows/deployment/update/change-history-for-update-windows-10.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
 ms.author: daniha
-ms.date: 05/16/2017
+ms.date: 07/27/2017
 ---
 
 # Change history for Update Windows 10
@@ -15,6 +15,10 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc
 
 >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
 
+## July 2017
+
+All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes).
+
 ## May 2017
 
 | New or changed topic | Description |
diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
new file mode 100644
index 0000000000..9df4b51c9b
--- /dev/null
+++ b/windows/deployment/update/device-health-get-started.md
@@ -0,0 +1,180 @@
+---
+title: Get started with Device Health
+description: Configure Device Health in OMS to see statistics on frequency and causes of crashes of devices in your network.
+keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: jaimeo
+---
+
+# Get started with Device Health
+
+This topic explains the steps necessary to configure your environment for Windows Analytics: Device Health. 
+
+Steps are provided in sections that follow the recommended setup process:
+1.	Ensure that [prerequisites](#device-health-prerequisites) are met.
+2.	[Add Device Health](#add-device-health-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
+3.	[Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices and set the telemetry level) to your organization’s devices.
+
+## Device Health prerequisites
+
+Device Health has the following requirements: 
+1. Device Health is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). 
+2. The solution requires that at least the [enhanced level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) is enabled on all devices that are intended to be displayed in the solution. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization). 
+3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
+
+Service | Endpoint
+--- | ---
+Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com<BR>settings-win.data.microsoft.com
+Windows Error Reporting | watson.telemetry.microsoft.com
+Online Crash Analysis | oca.telemetry.microsoft.com
+
+>[!NOTE]  
+> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. See [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization) for steps to exclude authentication for these endpoints.
+
+
+## Add Device Health to Microsoft Operations Management Suite
+
+Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). 
+
+**If you are already using OMS**, you’ll find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)  and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
+
+**If you are not yet using OMS**, use the following steps to subscribe to OMS Device Health:
+
+1.	Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
+   [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png)
+
+
+2.	Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+   [![OMS Sign-in dialog box for account name and password](images/uc-03a.png)](images/uc-03.png)
+
+
+3.	Create a new OMS workspace.
+
+     [![OMS dialog with buttons to create a new OMS workspace or cancel](images/uc-04a.png)](images/uc-04.png)
+
+4.	Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
+
+    [![OMS Create New Workspace dialog](images/uc-05a.png)](images/uc-05.png)
+
+5.	If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
+
+    [![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png)](images/uc-06.png)
+
+6.	To add Device Health to your workspace, go to the Solution Gallery, Select the **Device Health** tile and then select **Add** on the solution's detail page. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
+
+    [![Windows Analytics details page in Solutions Gallery](images/solution-bundle.png)](images/solution-bundle.png)
+
+7.	Click the **Device Health** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added.
+
+    [![OMS Settings Dashboard showing Device Health and Upgrade Readiness tiles](images/OMS-after-adding-solution.jpg)](images/OMS-after-adding-solution.jpg)
+
+
+
+After you have added Device Health and devices have a Commercial ID, you will begin receiving data. It will typically take 24-48 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
+
+>[!NOTE]
+>You can unsubscribe from the Device Health solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
+
+## Deploy your Commercial ID to your Windows 10 devices and set the telemetry level
+
+In order for your devices to show up in Windows Analytics: Device Health, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM). 
+
+- Using Group Policy<BR><BR>
+    Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
+    1. In the console tree, navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**
+    2. Double-click **Configure the Commercial ID**
+    3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.<P>
+
+- Using Microsoft Mobile Device Management (MDM)<BR><BR>
+Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. You can find more information on deployment using MDM at the [DMClient Configuration Service Provider topic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).  
+
+## Perform checks to ensure and verify successful deployment
+
+While you're waiting for the initial data to populate, there are some configuration details it's worth confirming to ensure that the necessary data connections are set up properly.
+
+### Check for disabled Windows Error Reporting (WER)
+ 
+If WER is disabled or redirected on your Windows devices, then reliability information cannot be shown in Device Health. 
+
+Check these Registry settings in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting**:
+
+- Verify that the value "Disabled" (REG_DWORD), if set, is 0.
+- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
+- Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
+ 
+If you need further information on Windows Error Reporting (WER) settings, see [WER Settings](https://msdn.microsoft.com/library/windows/desktop/bb513638(v=vs.85).aspx).
+ 
+
+### Endpoint connectivity
+
+Devices must be able to reach the endpoints specified in the "Device Health prerequisites" section of this topic. 
+
+>[!NOTE]  
+> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3 of the "Device Health prerequisites" section of this topic. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. (If you need more information about telemetry endpoints and how to manage them, see [Configure Windows telemetry in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-telemetry-in-your-organization).
+
+If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
+
+Therefore, it's important to ensure that both machine and user accounts have access to the endpoints using authentication (or to whitelist the endpoints so that outbound proxy authentication is not required).
+
+To test access as a given user, you can run this Windows PowerShell cmdlet *while logged on as that user*: 
+
+```powershell
+
+$endPoints = @(
+        'v10.vortex-win.data.microsoft.com'
+        'settings-win.data.microsoft.com'
+        'watson.telemetry.microsoft.com'
+        'oca.telemetry.microsoft.com'
+        'vortex.data.microsoft.com'
+    )
+
+$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
+
+```
+
+If this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
+
+To test access in the machine context (requires administrative rights), run the above as SYSTEM using PSexec or Task Scheduler, as in this example:
+
+```powershell
+
+[scriptblock]$accessTest = {
+    $endPoints = @(
+        'v10.vortex-win.data.microsoft.com'
+        'settings-win.data.microsoft.com'
+        'watson.telemetry.microsoft.com'
+        'oca.telemetry.microsoft.com'
+        'vortex.data.microsoft.com'
+    )
+
+    $endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
+}
+
+$scriptFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints.ps1"
+$outputFileFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints_Output.txt"
+$accessTest.ToString() > $scriptFullPath
+$null > $outputFileFullPath
+$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-ExecutionPolicy Bypass -Command `"&{$scriptFullPath > $outputFileFullPath}`"" 
+$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).Addseconds(10)
+$task = Register-ScheduledTask -User 'NT AUTHORITY\SYSTEM' -TaskName 'MicrosoftTelemetryAccessTest' -Trigger $taskTrigger -Action $taskAction -Force
+Start-Sleep -Seconds 120
+Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false
+Get-Content $outputFileFullPath
+
+```
+
+As in the other example, if this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
+
+
+
+
+
+
+
+## Related topics
+
+[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)<BR>
+For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics)
\ No newline at end of file
diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md
new file mode 100644
index 0000000000..f620c80953
--- /dev/null
+++ b/windows/deployment/update/device-health-monitor.md
@@ -0,0 +1,65 @@
+---
+title: Monitor the health of devices with Device Health
+description: You can use Device Health in OMS to monitor the frequency and causes of crashes and misbehaving apps on devices in your network.
+keywords: oms, operations management suite, wdav, health, log analytics
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: jaimeo
+---
+
+# Monitor the health of devices with Device Health
+
+## Introduction
+
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by providing IT with reports on some common problems the end users might experience so they can be proactively remediated, thus saving support calls and improving end-user productivity.
+
+Like Upgrade Readiness and Update Compliance, Device Health is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This preview release is free for customers to try and will not incur charges on your OMS workspace for its use. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+
+Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health (preview) from the OMS solution gallery and add it to your OMS workspace. Device Health requires enhanced telemetry, so you might need to implement this policy if you've not already done so.
+
+
+Device Health provides the following:
+
+- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced
+- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes
+- Notification of Windows Information Protection misconfigurations that send prompts to end users
+- No need for new complex customized infrastructure, thanks to cloud-connected access using Windows 10 telemetry
+
+See the following topics in this guide for detailed information about configuring and using the Device Health solution:
+
+- [Get started with Device Health](device-health-get-started.md): How to add Device Health to your environment.
+- [Using Device Health](device-health-using.md): How to begin using Device Health.
+
+An overview of the processes used by the Device Health solution is provided below.
+
+## Device Health architecture
+ 
+The Device Health architecture and data flow is summarized by the following five-step process:
+
+
+
+**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.<BR>
+**(2)** Telemetry data is analyzed by the Microsoft Telemetry Service.<BR>
+**(3)** Telemetry data is pushed from the Microsoft Telemetry Service to your OMS workspace.<BR>
+**(4)** Telemetry data is available in the Device Health solution.<BR>
+**(5)** You are now able to proactively monitor Device Health issues in your environment.<BR>
+
+These steps are illustrated in following diagram:
+
+ [![](images/analytics-architecture.png)](images/analytics-architecture.png)
+
+>[!NOTE]
+>This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
+
+
+
+ 
+## Related topics
+
+[Get started with Device Health](device-health-get-started.md)
+
+[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)
+
+For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics)
\ No newline at end of file
diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md
new file mode 100644
index 0000000000..9fa09d1431
--- /dev/null
+++ b/windows/deployment/update/device-health-using.md
@@ -0,0 +1,170 @@
+---
+title: Using Device Health
+description: Explains how to begin usihg Device Health.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: jaimeo
+---
+
+# Using Device Health
+
+This section describes how to use Device Health to monitor devices deployed on your network and troubleshoot the causes if they crash.
+
+
+Device Health provides IT Pros with reports on some common problems that users might experience so that they can be proactively remediated. This decreases support calls and improves productivity.
+
+Device Health provides the following benefits:
+
+- Identification of devices that crash frequently and therefore might need to be rebuilt or replaced
+- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes
+- Notification of Windows Information Protection misconfigurations that send prompts to end users
+
+
+>[!NOTE]
+>Information is refreshed daily so that health status can be monitored. Changes will be displayed about 24-48 hours after their occurrence, so you always have a recent snapshot of your devices.
+
+In OMS, the aspects of a solution's dashboard are usually divided into <I>blades</I>. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through <I>queries</I>. <I>Perspectives</I> are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow. 
+
+
+## Device Reliability
+
+- [Frequently Crashing Devices](#frequently-crashing-devices)
+- [Driver-Induced OS Crashes](#driver--induced-OS-crashes)
+
+
+
+### Frequently Crashing Devices
+
+This middle blade in Device Reliability displays the devices that have crashed the most often in the last week. This can help you identify unhealthy devices that might need to be rebuilt or replaced.
+
+See the following example: 
+
+
+![The blade in the middle summarizes devices that crash most often](images/dev-health-main-tile-sterile.png)
+
+Clicking the header of the Frequently Crashing Devices blade opens a reliability perspective view, where you can filter data (by using filters in the left pane), see trends, and compare to commercial averages:
+
+![Reliability perspective](images/device-reliability2-sterile.png)
+
+"Commercial averages" here refers to data collected from deployments with a mix of operating system versions and device models that is similar to yours. If your crash rate is higher, there are opportunities for improvement, for example by moving to newer driver versions.
+
+Notice the filters in the left pane; they allow you to filter the crash rate shown to a particular operating system version, device model, or other parameter. 
+
+>[!NOTE]
+>Use caution when interpreting results filtered by model or operating system version. This is very useful for troubleshooting, but might not be accurate for *comparisons* because the crashes displayed could be of different types. The overall goal for working with crash data is to ensure that most devices have the same driver versions and that that version has a low crash rate.
+
+>[!TIP]
+>Once you've applied a filter (for example setting OSVERSION=1607) you will see the query in the text box change to append the filter (for example, with “(OSVERSION=1607)”). To undo the filter, remove that part of the query in the text box and click the search button to the right of the text box to run the adjusted query.”
+
+
+If you click through a particular device from the view blade or from the Device Reliability perspective, it will take you to the Crash History perspective for that device.
+
+![Device detail and history](images/device-crash-history2-sterile.png)
+
+This displays device records sorted by date and crash details by failure ID, also sorted by date. In this view are a number of useful items:
+
+- Crash history records by date, aggregated  by Failure ID. The Failure ID is an internal number that is used to group crashes that are related to each other. Eventually over time, you can use the Failure ID to provide additional info. If a crash was caused by driver, some driver fields will also be populated.
+
+- StopCode: this is hex value that would be displayed on a bluescreen if you were looking directly at the affected device.
+
+- Count: the number times that particular Failure ID has occurred on that specific device *on that date*.
+
+
+ 
+ 
+### Driver-Induced OS Crashes
+
+This blade (on the right) displays drivers that have caused the most devices to crash in the last two weeks. If your crash rate is high, you can reduce the overall operating system crashes in your deployment by upgrading those drivers with a high crash rate.
+
+
+![The blade on the right summarizes devices that crash most often](images/dev-health-main-tile-sterile.png)
+
+Clicking a listed driver on the Driver-Induced OS Crashes blade opens a driver perspective view, which shows the details for the responsible driver, trends and commercial averages for that driver, and alternative versions of the driver.
+
+![Driver detail and history](images/driver-detail-1-sterile.png)
+![Driver detail and history scrolldown](images/driver-detail-2-sterile.png)
+
+The driver version table can help you determine whether deploying a newer version of the driver might help you reduce the crash rate. In the example shown above, the most commonly installed driver version (19.15.1.5) has a crash rate of about one-half of one percent--this is low, so this driver is probably fine. However, driver version 19.40.0.3 has a crash rate of almost 20%. If that driver had been widely deployed, updating it would substantially reduce the overal number of crashes in your organization.
+
+
+
+
+
+## Windows Information Protection
+
+
+Windows Information Protection (WIP) helps protect work data from accidental sharing. Users might be disrupted if WIP rules are not aligned with real work behavior. WIP App Learning shows which apps on which computers are attempting to cross policy boundaries.
+
+For details about deploying WIP policies, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip).
+
+Once you have WIP policies in place, by using the WIP section of Device Health, you can:
+
+- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
+- Tune WIP rules, for example by confirming that certain apps are allowed or disallowed by current policy.
+
+
+![Main Windows Information Protection view](images/WIPNEWMAIN-sterile.png)
+
+
+Clicking through the **APP LEARNING** tile shows details of app statistics that you can use to explore each incident and update app policies by using AppLocker or WIP AppIDs.
+
+![WIP details view](images/WIPNEW1-chart-selected-sterile.png)
+
+In this chart view, you can click a particular app listing, which will open additional details on the app in question, including details you need to adjust your Windows Information Protection Policy:
+
+![WIP details view for a specific app](images/WIPappID-sterile.png)
+
+Here you can copy the WipAppid and use that for adjusting the WIP policy.
+
+## Data model and OMS built-in extensibility
+
+All of the views and blades display slices of the most useful data by using pre-formed queries. You have access to the full set of data collected by Device Health, which means you can construct your own queries to expose any data that is of interest to you. For documentation on working with log searches, see [Find data using log searches](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). This topic section provides information about the data types being populated specifically by Device Health.
+
+### Example queries
+
+You can run these queries from the OMS **Log Search** interface (available at several points in the Device Health interface) by just typing them in. There are few details to be aware of:
+
+- After running a query, make sure to set the date range (which appears upper left after running initial query) to "7 days" to ensure you get data back.
+- If you see the search tutorial dialog appearing frequently, it's likely because you are have read-only access to the OMS workspace. Ask a workspace administrator to grant you "contributor" permissions (which is required for the "completed tutorial" state to persist).
+- If you use the search filters in the left pane, you might notice there is no control to undo a filter selection. To undo a selection, delete the (FilterName="FilterValue") element that is appended to the search query and then click the search button again. For example, after you run a base query of *Type = DHOSReliability KernelModeCrashCount > 0*, a number of filter options appear on the left. If you then filter on **Manufacturer** (for example, by setting *Manufacturer="Microsoft Corporation"* and then clicking **Apply**), the query will change to *Type = DHOSReliability KernelModeCrashCount > 0 (Manufacturer="Microsoft Corporation")*. Delete *(Manufacturer="Microsoft Corporation")* and then click the **search** button again to re-run the query without that filter.
+
+### Device reliability query examples
+
+|Data|Query|
+|-------------------|------------------------|
+|Total devices|	Type = DHOSReliability \| measure countdistinct(ComputerID) by Type|
+|Number of devices that have crashed in the last three weeks|	Type = DHOSReliability KernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by Type|
+|Compare the percentage of your devices that have not crashed with the percentage of similar devices outside your organization ("similar" here means other commercial devices with the same mix of device models, operating system versions and update levels).|	Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices by Type \| Display Table|
+|As above, but sorted by device manufacturer|	Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by Manufacturer \| sort NumberDevices desc \| Display Table|
+|As above, but sorted by model|	Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by ModelFamily\| sort NumberDevices desc \| Display Table|
+|As above, but sorted by operating system version|	Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by OSVersion \| sort NumberDevices desc \| Display Table|
+|Crash rate trending in my organization compared to the commercial average. Each interval shows percentage of devices that crashed at least once in the trailing two weeks|	Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices by TimeGenerated \| Display LineChart|
+|Table of devices that have crashed the most in the last two weeks|	Type = DHOSReliability KernelModeCrashCount > 0 \| Dedup ComputerID \| select Computer, KernelModeCrashCount \| sort TimeGenerated desc, KernelModeCrashCount desc \| Display Table|
+|Detailed crash records, most recent first|	Type = DHOSCrashData \| sort TimeGenerated desc, Computer asc \| display Table|
+|Number of devices that crashed due to drivers|	Type = DHDriverReliability DriverKernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by Type|
+|Table of drivers that have caused the most devices to crash|	Type = DHDriverReliability DriverKernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by DriverName \| Display Table|
+|Trend of devices crashed by driver by day|	* Type=DHOSCrashData DriverName!="ntkrnlmp.exe" DriverName IN {Type=DHOSCrashData \| measure count() by DriverName | top 5} \| measure countdistinct(ComputerID) as NumberDevices by DriverName interval 1day|
+|Crashes for different versions of a given driver (replace netwtw04.sys with the driver you want from the previous list). This lets you get an idea of which *versions* of a given driver work best with your devices|	Type = DHDriverReliability DriverName="netwtw04.sys" \| Dedup ComputerID \| sort TimeGenerated desc \| measure countdistinct(ComputerID) as InstallCount, sum(map(DriverKernelModeCrashCount,1,10000, 1)) as DevicesCrashed by DriverVersion \| Display Table|
+|Top crashes by FailureID|	Type =DHOSCrashData \| measure count() by KernelModeCrashFailureId \| Display Table|
+
+### Windows Information Protection (WIP) App Learning query examples
+
+|Data|Query|
+|-------------------|------------------------|
+|Apps encountering policy boundaries on the most computers (click on an app in the results to see details including computer names)| Type=DHWipAppLearning \| measure countdistinct(ComputerID) as ComputerCount by AppName|
+|Trend of App Learning activity for a given app. Useful for tracking activity before and after a rule change| Type=DHWipAppLearning AppName="MICROSOFT.SKYPEAPP" | measure countdistinct(ComputerID) as ComputerCount interval 1day|
+
+### Exporting data and configuring alerts
+
+OMS enables you to export data to other tools. To do this, in any view that shows **Log Search** just click the **Export** button. Similarly, clicking the **Alert** button will enable you to run a query automaticlaly on a schedule and receive email alerts for particular query results that you set. If you have a PowerBI account, then you will also see a **PowerBI** button that enables you to run a query on a schedule and have the results automatically saved as a PowerBI data set.
+
+
+
+
+## Related topics
+
+[Get started with Device Health](device-health-get-started.md)<BR>
+
+For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics)
\ No newline at end of file
diff --git a/windows/deployment/update/images/OMS-after-adding-solution.jpg b/windows/deployment/update/images/OMS-after-adding-solution.jpg
new file mode 100644
index 0000000000..d06a896f6e
Binary files /dev/null and b/windows/deployment/update/images/OMS-after-adding-solution.jpg differ
diff --git a/windows/deployment/update/images/WIP-detail.png b/windows/deployment/update/images/WIP-detail.png
new file mode 100644
index 0000000000..96b0a90280
Binary files /dev/null and b/windows/deployment/update/images/WIP-detail.png differ
diff --git a/windows/deployment/update/images/WIP.png b/windows/deployment/update/images/WIP.png
new file mode 100644
index 0000000000..ee7f30c014
Binary files /dev/null and b/windows/deployment/update/images/WIP.png differ
diff --git a/windows/deployment/update/images/WIP2-sterile.png b/windows/deployment/update/images/WIP2-sterile.png
new file mode 100644
index 0000000000..7cc35cde75
Binary files /dev/null and b/windows/deployment/update/images/WIP2-sterile.png differ
diff --git a/windows/deployment/update/images/WIP2.PNG b/windows/deployment/update/images/WIP2.PNG
new file mode 100644
index 0000000000..87255177e0
Binary files /dev/null and b/windows/deployment/update/images/WIP2.PNG differ
diff --git a/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png b/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png
new file mode 100644
index 0000000000..eb2cabdcfd
Binary files /dev/null and b/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png differ
diff --git a/windows/deployment/update/images/WIPNEW1.PNG b/windows/deployment/update/images/WIPNEW1.PNG
new file mode 100644
index 0000000000..29e14d5411
Binary files /dev/null and b/windows/deployment/update/images/WIPNEW1.PNG differ
diff --git a/windows/deployment/update/images/WIPNEW2-sterile.png b/windows/deployment/update/images/WIPNEW2-sterile.png
new file mode 100644
index 0000000000..1ee1148c8f
Binary files /dev/null and b/windows/deployment/update/images/WIPNEW2-sterile.png differ
diff --git a/windows/deployment/update/images/WIPNEW2.PNG b/windows/deployment/update/images/WIPNEW2.PNG
new file mode 100644
index 0000000000..af7a8c84b7
Binary files /dev/null and b/windows/deployment/update/images/WIPNEW2.PNG differ
diff --git a/windows/deployment/update/images/WIPNEWMAIN-sterile.png b/windows/deployment/update/images/WIPNEWMAIN-sterile.png
new file mode 100644
index 0000000000..5efc5250c1
Binary files /dev/null and b/windows/deployment/update/images/WIPNEWMAIN-sterile.png differ
diff --git a/windows/deployment/update/images/WIPNEWMAIN.PNG b/windows/deployment/update/images/WIPNEWMAIN.PNG
new file mode 100644
index 0000000000..b56da2b409
Binary files /dev/null and b/windows/deployment/update/images/WIPNEWMAIN.PNG differ
diff --git a/windows/deployment/update/images/WIPappID-sterile.png b/windows/deployment/update/images/WIPappID-sterile.png
new file mode 100644
index 0000000000..43bad68ed0
Binary files /dev/null and b/windows/deployment/update/images/WIPappID-sterile.png differ
diff --git a/windows/deployment/update/images/WIPappID.PNG b/windows/deployment/update/images/WIPappID.PNG
new file mode 100644
index 0000000000..49ea2bc99c
Binary files /dev/null and b/windows/deployment/update/images/WIPappID.PNG differ
diff --git a/windows/deployment/update/images/WIPmain.PNG b/windows/deployment/update/images/WIPmain.PNG
new file mode 100644
index 0000000000..adb905255d
Binary files /dev/null and b/windows/deployment/update/images/WIPmain.PNG differ
diff --git a/windows/deployment/update/images/analytics-architecture.png b/windows/deployment/update/images/analytics-architecture.png
new file mode 100644
index 0000000000..1b537c1c9b
Binary files /dev/null and b/windows/deployment/update/images/analytics-architecture.png differ
diff --git a/windows/deployment/update/images/app-detail.png b/windows/deployment/update/images/app-detail.png
new file mode 100644
index 0000000000..c06ced4864
Binary files /dev/null and b/windows/deployment/update/images/app-detail.png differ
diff --git a/windows/deployment/update/images/app-health-dashboard.png b/windows/deployment/update/images/app-health-dashboard.png
new file mode 100644
index 0000000000..d8daee44ed
Binary files /dev/null and b/windows/deployment/update/images/app-health-dashboard.png differ
diff --git a/windows/deployment/update/images/crash-hang-detail.png b/windows/deployment/update/images/crash-hang-detail.png
new file mode 100644
index 0000000000..3a6447329c
Binary files /dev/null and b/windows/deployment/update/images/crash-hang-detail.png differ
diff --git a/windows/deployment/update/images/dev-health-main-tile-sterile.png b/windows/deployment/update/images/dev-health-main-tile-sterile.png
new file mode 100644
index 0000000000..1619d8bf70
Binary files /dev/null and b/windows/deployment/update/images/dev-health-main-tile-sterile.png differ
diff --git a/windows/deployment/update/images/dev-health-main-tile.png b/windows/deployment/update/images/dev-health-main-tile.png
new file mode 100644
index 0000000000..850b558512
Binary files /dev/null and b/windows/deployment/update/images/dev-health-main-tile.png differ
diff --git a/windows/deployment/update/images/device-crash-history.png b/windows/deployment/update/images/device-crash-history.png
new file mode 100644
index 0000000000..69f98f1d67
Binary files /dev/null and b/windows/deployment/update/images/device-crash-history.png differ
diff --git a/windows/deployment/update/images/device-crash-history2-sterile.png b/windows/deployment/update/images/device-crash-history2-sterile.png
new file mode 100644
index 0000000000..18056ed801
Binary files /dev/null and b/windows/deployment/update/images/device-crash-history2-sterile.png differ
diff --git a/windows/deployment/update/images/device-crash-history2.PNG b/windows/deployment/update/images/device-crash-history2.PNG
new file mode 100644
index 0000000000..646afb4091
Binary files /dev/null and b/windows/deployment/update/images/device-crash-history2.PNG differ
diff --git a/windows/deployment/update/images/device-reliability.png b/windows/deployment/update/images/device-reliability.png
new file mode 100644
index 0000000000..af8bb1d247
Binary files /dev/null and b/windows/deployment/update/images/device-reliability.png differ
diff --git a/windows/deployment/update/images/device-reliability2-sterile.png b/windows/deployment/update/images/device-reliability2-sterile.png
new file mode 100644
index 0000000000..28fbf3725b
Binary files /dev/null and b/windows/deployment/update/images/device-reliability2-sterile.png differ
diff --git a/windows/deployment/update/images/device-reliability2.PNG b/windows/deployment/update/images/device-reliability2.PNG
new file mode 100644
index 0000000000..9af6d971b0
Binary files /dev/null and b/windows/deployment/update/images/device-reliability2.PNG differ
diff --git a/windows/deployment/update/images/driver-deeper-detail.png b/windows/deployment/update/images/driver-deeper-detail.png
new file mode 100644
index 0000000000..0437e555a1
Binary files /dev/null and b/windows/deployment/update/images/driver-deeper-detail.png differ
diff --git a/windows/deployment/update/images/driver-detail-1-sterile.png b/windows/deployment/update/images/driver-detail-1-sterile.png
new file mode 100644
index 0000000000..7dcd86366f
Binary files /dev/null and b/windows/deployment/update/images/driver-detail-1-sterile.png differ
diff --git a/windows/deployment/update/images/driver-detail-1.PNG b/windows/deployment/update/images/driver-detail-1.PNG
new file mode 100644
index 0000000000..deeb998493
Binary files /dev/null and b/windows/deployment/update/images/driver-detail-1.PNG differ
diff --git a/windows/deployment/update/images/driver-detail-2-sterile.png b/windows/deployment/update/images/driver-detail-2-sterile.png
new file mode 100644
index 0000000000..e5fa480c3e
Binary files /dev/null and b/windows/deployment/update/images/driver-detail-2-sterile.png differ
diff --git a/windows/deployment/update/images/driver-detail-2.PNG b/windows/deployment/update/images/driver-detail-2.PNG
new file mode 100644
index 0000000000..71f16697f5
Binary files /dev/null and b/windows/deployment/update/images/driver-detail-2.PNG differ
diff --git a/windows/deployment/update/images/driver-detail.png b/windows/deployment/update/images/driver-detail.png
new file mode 100644
index 0000000000..ab391f5adb
Binary files /dev/null and b/windows/deployment/update/images/driver-detail.png differ
diff --git a/windows/deployment/update/images/health-summary.png b/windows/deployment/update/images/health-summary.png
new file mode 100644
index 0000000000..906b0a2189
Binary files /dev/null and b/windows/deployment/update/images/health-summary.png differ
diff --git a/windows/deployment/update/images/login-health-detail-faillure.png b/windows/deployment/update/images/login-health-detail-faillure.png
new file mode 100644
index 0000000000..10b59a01d0
Binary files /dev/null and b/windows/deployment/update/images/login-health-detail-faillure.png differ
diff --git a/windows/deployment/update/images/login-health-detail.png b/windows/deployment/update/images/login-health-detail.png
new file mode 100644
index 0000000000..2d3871fc42
Binary files /dev/null and b/windows/deployment/update/images/login-health-detail.png differ
diff --git a/windows/deployment/update/images/login-health.png b/windows/deployment/update/images/login-health.png
new file mode 100644
index 0000000000..fd4f6740bd
Binary files /dev/null and b/windows/deployment/update/images/login-health.png differ
diff --git a/windows/deployment/update/images/reliability-perspective.png b/windows/deployment/update/images/reliability-perspective.png
new file mode 100644
index 0000000000..58e812dafa
Binary files /dev/null and b/windows/deployment/update/images/reliability-perspective.png differ
diff --git a/windows/deployment/update/images/reliability-perspective2.PNG b/windows/deployment/update/images/reliability-perspective2.PNG
new file mode 100644
index 0000000000..978cacc4f5
Binary files /dev/null and b/windows/deployment/update/images/reliability-perspective2.PNG differ
diff --git a/windows/deployment/update/images/solution-bundle.png b/windows/deployment/update/images/solution-bundle.png
new file mode 100644
index 0000000000..70cec8d8f4
Binary files /dev/null and b/windows/deployment/update/images/solution-bundle.png differ
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 4d6601fda8..01404a9781 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/deployment/update/olympia/enrollment-keep-current-edition.md b/windows/deployment/update/olympia/enrollment-keep-current-edition.md
new file mode 100644
index 0000000000..b0016c44ee
--- /dev/null
+++ b/windows/deployment/update/olympia/enrollment-keep-current-edition.md
@@ -0,0 +1,44 @@
+---
+title: Keep your current Windows 10 edition
+description: Olympia Corp enrollment - Keep your current Windows 10 edition
+ms.author: nibr
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 09/01/2017
+---
+
+# Olympia Corp enrollment
+
+## Keep your current Windows 10 edition
+
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+
+    ![Settings -> Accounts](images/1-1.png)
+
+2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
+
+3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
+
+    ![Set up a work or school account](images/1-3.png)
+
+4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
+
+    > [!NOTE]
+    > Passwords should contain 8-16 characters, including at least one special character or number.
+
+    ![Update your password](images/1-4.png)
+
+5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
+
+6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details.
+
+7. Create a PIN for signing into your Olympia corporate account.
+
+8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
+
+    > [!NOTE]
+    > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
+
+9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
diff --git a/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md b/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md
new file mode 100644
index 0000000000..6643971428
--- /dev/null
+++ b/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md
@@ -0,0 +1,57 @@
+---
+title: Upgrade your Windows 10 edition from Pro to Enterprise
+description: Olympia Corp enrollment - Upgrade your Windows 10 edition from Pro to Enterprise
+ms.author: nibr
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 09/01/2017
+---
+
+# Olympia Corp enrollment
+
+## Upgrade your Windows 10 edition from Pro to Enterprise
+
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+
+    ![Settings -> Accounts](images/1-1.png)
+
+2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
+	
+3. Click **Connect**, then click **Join this device to Azure Active Directory**.
+
+    ![Update your password](images/2-3.png)
+
+4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
+
+    ![Set up a work or school account](images/2-4.png)
+
+5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
+
+    > [!NOTE]
+    > Passwords should contain 8-16 characters, including at least one special character or number.
+
+    ![Update your password](images/2-5.png)
+
+6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
+
+7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details.
+
+8. Create a PIN for signing into your Olympia corporate account.
+
+9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
+
+10. Restart your PC.
+
+11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*.
+
+12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
+
+    > [!NOTE]
+    > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
+
+13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
+
+\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia.
+
diff --git a/windows/deployment/update/olympia/images/1-1.png b/windows/deployment/update/olympia/images/1-1.png
new file mode 100644
index 0000000000..ee06527529
Binary files /dev/null and b/windows/deployment/update/olympia/images/1-1.png differ
diff --git a/windows/deployment/update/olympia/images/1-3.png b/windows/deployment/update/olympia/images/1-3.png
new file mode 100644
index 0000000000..807e895aa5
Binary files /dev/null and b/windows/deployment/update/olympia/images/1-3.png differ
diff --git a/windows/deployment/update/olympia/images/1-4.png b/windows/deployment/update/olympia/images/1-4.png
new file mode 100644
index 0000000000..3e63d1c078
Binary files /dev/null and b/windows/deployment/update/olympia/images/1-4.png differ
diff --git a/windows/deployment/update/olympia/images/2-3.png b/windows/deployment/update/olympia/images/2-3.png
new file mode 100644
index 0000000000..7006da4179
Binary files /dev/null and b/windows/deployment/update/olympia/images/2-3.png differ
diff --git a/windows/deployment/update/olympia/images/2-4.png b/windows/deployment/update/olympia/images/2-4.png
new file mode 100644
index 0000000000..677679a000
Binary files /dev/null and b/windows/deployment/update/olympia/images/2-4.png differ
diff --git a/windows/deployment/update/olympia/images/2-5.png b/windows/deployment/update/olympia/images/2-5.png
new file mode 100644
index 0000000000..cfec6f7ce0
Binary files /dev/null and b/windows/deployment/update/olympia/images/2-5.png differ
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
new file mode 100644
index 0000000000..17b87bd7b0
--- /dev/null
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -0,0 +1,22 @@
+---
+title: Olympia Corp enrollment guidelines
+description: Olympia Corp enrollment guidelines
+ms.author: nibr
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 09/01/2017
+---
+
+# Olympia Corp enrollment guidelines
+
+Welcome to Olympia Corp. Here are the steps to add your account to your PC.
+
+As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade.
+
+Choose one of the following two enrollment options:
+
+1. [Keep your current Windows 10 edition](./enrollment-keep-current-edition.md)
+
+2. [Upgrade your Windows 10 edition from Pro to Enterprise](./enrollment-upgrade-to-enterprise.md)
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 822dbf7bd1..5e3c80f9c4 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
-author: greg-lindsay
+author: jaimeo
 ---
 
 # Get started with Update Compliance
@@ -39,61 +39,61 @@ Online Crash Analysis | oca.telemetry.microsoft.com
 
 Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). 
 
-If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace.
+If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)  and [Device Health](device-health-monitor.md) solutions as well, if you haven't already.
 
 If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
 
 1.	Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
 
 
-   [![](images/uc-02a.png)](images/uc-02.png)
+   [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png)
 
 
 2.	Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
 
 
-   [![](images/uc-03a.png)](images/uc-03.png)
+   [![OMS Sign-in dialog box for account name and password](images/uc-03a.png)](images/uc-03.png)
 
 
 3.	Create a new OMS workspace. 
 
 
-   [![](images/uc-04a.png)](images/uc-04.png)
+   [![OMS dialog with buttons to create a new OMS workspace or cancel](images/uc-04a.png)](images/uc-04.png)
  
 4.	Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
 
 
-   [![](images/uc-05a.png)](images/uc-05.png)
+   [![OMS Create New Workspace dialog](images/uc-05a.png)](images/uc-05.png)
 
 
 5.	If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
 
 
-   [![](images/uc-06a.png)](images/uc-06.png)
+   [![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png)](images/uc-06.png)
 
 
-6.	To add the Update Compliance solution to your workspace, go to the Solutions Gallery.
+6.	To add the Update Compliance solution to your workspace, go to the Solutions Gallery.  While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
 
 
-   [![](images/uc-07a.png)](images/uc-07.png)
+   [![OMS workspace with Solutions Gallery tile highlighted](images/uc-07a.png)](images/uc-07.png)
 
 
 7.	Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace. 
 
  
-   [![](images/uc-08a.png)](images/uc-08.png)
+   [![Workspace showing Solutions Gallery](images/uc-08a.png)](images/uc-08.png)
 
 
 8.	Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
 
 
-   [![](images/uc-09a.png)](images/uc-09.png)
+   [![OMS workspace with new Update Compliance tile on the right side highlighted](images/uc-09a.png)](images/uc-09.png)
 
 
 9.	Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
 
 
-   [![](images/uc-10a.png)](images/uc-10.png)
+   [![Series of blades showing Connected Sources, Windows Telemetry, and Upgrade Analytics solution with Subscribe button](images/uc-10a.png)](images/uc-10.png)
 
 
 After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 1be2149594..2619584ebd 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -33,6 +33,8 @@ See the following topics in this guide for detailed information about configurin
 - [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
 - [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
 
+<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/1cmF5c_R8I4" frameborder="0" allowfullscreen></iframe>
+
 An overview of the processes used by the Update Compliance solution is provided below.
 
 ## Update Compliance architecture
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index e284dc274b..98db5c9f8c 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Configure BranchCache for Windows 10 updates
@@ -53,7 +54,7 @@ In addition to these steps, there is one requirement for WSUS to be able to use
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) 
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index b41a060c96..d71fba917a 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Configure Windows Update for Business
@@ -19,6 +20,11 @@ ms.author: daniha
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
 You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).  
 
 >[!IMPORTANT]
@@ -36,7 +42,7 @@ By grouping devices with similar deferral periods, administrators are able to cl
 <span id="configure-devices-for-current-branch-or-current-branch-for-business"/>
 ## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
 
-With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-branches). 
+With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). 
 
 **Release branch policies**
 
@@ -257,7 +263,7 @@ In the Windows Update for Business policies in version 1511, all the deferral ru
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index e15cd39494..2b77126ecf 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Configure Delivery Optimization for Windows 10 updates
@@ -204,7 +205,7 @@ On devices that are not preferred, you can choose to set the following policy to
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
 - [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) 
diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
index f8a51fb650..224da4899d 100644
--- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
+++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Build deployment rings for Windows 10 updates
@@ -29,35 +30,30 @@ Table 1 provides an example of the deployment rings you might use.
 
 **Table 1**
 
-| Deployment ring | Servicing branch | Total weeks after Current Branch (CB) or Current Branch for Business (CBB) release |
-| --- | --- | --- |
-| Preview | Windows Insider | Pre-CB |
-| Ring 1 Pilot IT | CB | CB + 0 weeks |
-| Ring 2 Pilot business users | CB | CB + 4 weeks |
-| Ring 3 Broad IT | CB | CB + 6 weeks |
-| Ring 4 Broad business users | CBB | CBB + 0 weeks |
-| Ring 5 Broad business users #2 | CBB | CBB + 2 weeks as required by capacity or other constraints |
+| Deployment ring | Servicing channel | Deferral for feature updates | Deferral for quality updates | Example |
+| --- | --- | --- | --- | --- |
+| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the semi-annual channel |
+| Targeted | Semi-annual channel (Targeted) | None | None | Select devices across various teams used to evaluate the major release prior to broad deployment |
+| Broad | Semi-annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedback</br>Pause updates if there are critical issues |
+| Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization |
 
 >[!NOTE]
->In this example, there are no rings made up of the long-term servicing branch (LTSB). The LTSB servicing branch does not receive feature updates. 
+>In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC servicing channel does not receive feature updates. 
 >
->Windows Insider is in the deployment ring list for informational purposes only. Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insiderdevices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates.
+>Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insider devices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates.
 
 
-As Table 1 shows, each combination of servicing branch and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing branch to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing branch they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. 
-
-![illustration of rings](images/waas-rings.png)
-
+As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. 
 
 
 ## Steps to manage updates for Windows 10
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | Build deployment rings for Windows 10 updates (this topic) |
-| ![to do](images/checklistbox.gif) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 294a8ed333..24c89c24be 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Integrate Windows Update for Business with management solutions
@@ -97,7 +98,7 @@ For Windows 10, version 1607, organizations already managing their systems with
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md
index 13e614dbf4..0fdb3289c7 100644
--- a/windows/deployment/update/waas-manage-updates-configuration-manager.md
+++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Deploy Windows 10 updates using System Center Configuration Manager
@@ -17,7 +18,12 @@ ms.author: daniha
 - Windows 10
 - Windows 10 Mobile
 
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. 
 
 System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
 
@@ -292,10 +298,10 @@ With the task sequence created, you’re ready to deploy it. If you’re using t
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or Deploy Windows 10 updates using System Center Configuration Manager (this topic) |
 
@@ -310,7 +316,7 @@ With the task sequence created, you’re ready to deploy it. If you’re using t
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index f9cc0b2feb..765051754a 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -18,6 +18,11 @@ ms.author: daniha
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. 
+
 WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
 
 When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10. 
@@ -322,10 +327,10 @@ Now that you have the All Windows 10 Upgrades view, complete the following steps
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or Deploy Windows 10 updates using Windows Server Update Services (this topic)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
@@ -337,7 +342,7 @@ Now that you have the All Windows 10 Upgrades view, complete the following steps
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 2c33b3ad01..7391b7bb5e 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -19,6 +19,11 @@ ms.author: daniha
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. 
+
 Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service.  You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines.  
 
 Specifically, Windows Update for Business allows for: 
@@ -75,7 +80,7 @@ The pause period is now calculated starting from the set start date. For additio
 Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.   
 
 >[!NOTE]
->For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-branches).
+>For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
 
 <table>
     <thead>
@@ -102,10 +107,10 @@ For more information about Update Compliance, see [Monitor Windows Updates using
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | Deploy updates using Windows Update for Business (this topic) </br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
@@ -114,7 +119,7 @@ For more information about Update Compliance, see [Monitor Windows Updates using
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md
index 35ed31ba72..9234f54996 100644
--- a/windows/deployment/update/waas-mobile-updates.md
+++ b/windows/deployment/update/waas-mobile-updates.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -20,14 +20,19 @@ ms.author: daniha
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 >[!TIP]
->If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first.
+>If you're not familiar with the Windows 10 servicing or release channels, read [Servicing channels](waas-overview.md#servicing-channels) first.
 
-Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Current Branch (CB) unless you [enroll the device in the Windows Insider Program](waas-servicing-branches-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB.
+Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB.
 
 [Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)
 
 </br>
 
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
 | Windows 10 edition | CB | CBB | Insider Program |
 | --- | --- | --- | --- | --- |
 | Mobile | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
@@ -68,7 +73,7 @@ If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, versi
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) 
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index f6ff84324d..899f98788b 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -47,7 +47,10 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
 
 ## Express update delivery
 
-Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
+Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
+
+>[!NOTE]
+>Currently, Express update delivery only applies to quality update downloads.
 
 ### How Microsoft supports Express
 - **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update.
@@ -83,10 +86,10 @@ At this point, the download is complete and the update is ready to be installed.
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this topic) |
 | ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index b1034016b5..fac84472ae 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Overview of Windows as a service
@@ -22,7 +23,7 @@ ms.author: daniha
 
 The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. 
 
-<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/MLc4-Suv0LU" frameborder="0" allowfullscreen></iframe>
+<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/qSAsiM01GOU" frameborder="0" allowfullscreen></iframe>
 
 ## Building
 
@@ -56,11 +57,22 @@ Device compatibility in Windows 10 is also very strong; new hardware is not need
 
 Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality twice per year, and quality updates that provide security and reliability fixes at least once a month. 
 
-With Windows 10, organizations will need to change the way they approach deploying updates. Servicing branches are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing branches comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing branch to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing branches and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). 
+With Windows 10, organizations will need to change the way they approach deploying updates. Servicing channels are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing channels comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing channel to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing channels and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). 
 
 For information about each servicing tool available for Windows 10, see [Servicing tools](#servicing-tools).
 
-To align with this new update delivery model, Windows 10 has three servicing branches, each of which provides different levels of flexibility over when these updates are delivered to client computers. For information about the servicing branches available in Windows 10, see [Servicing branches](#servicing-branches).
+To align with this new update delivery model, Windows 10 has three servicing channels, each of which provides different levels of flexibility over when these updates are delivered to client computers. For information about the servicing channels available in Windows 10, see [Servicing channels](#servicing-channels).
+
+### Naming changes
+
+As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting common terminology to make it as easy as possible to understand the servicing process. Going forward, these are the new terms we will be using:
+* Semi-Annual Channel - We will be referreing to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". 
+* Long-Term Servicing Channel -  The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC).
+
+>[!NOTE]
+>For additional information, see the section about [Servicing Channels](#servicing-channels). 
+>
+>You can also read [this blog post](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change. 
 
 
 ### Feature updates
@@ -72,9 +84,9 @@ With Windows 10, Microsoft will package new features into feature updates that c
 
 ### Quality updates
 
-Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of nonsecurity fixes.
+Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of non-security fixes.
 
-In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and nonsecurity fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
+In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
 
 **Figure 1**
 
@@ -82,60 +94,58 @@ In Windows 10, rather than receiving several updates each month and trying to fi
 
 
 
-## Servicing branches 
+## Servicing channels 
 
-To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). In addition, the Windows Insider Program provides IT pros and other interested parties with prerelease Windows builds that they can test and ultimately provide feedback on to Microsoft. For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. 
 
-The concept of servicing branches is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
+With that in mind, Windows 10 offers 3 servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+
+The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
 
 >[!NOTE]
->Servicing branches are not the only way to separate groups of devices when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). 
+>Servicing channels are not the only way to separate groups of devices when consuming updates. Each channel can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing channels, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). 
 
+### Semi-Annual Channel
 
-### Current Branch
+In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. Windows 10, version 1511, had few servicing tool options to delay feature updates, limiting the use of the Semi-Annual servicing channel. Windows 10, version 1607 and onward, includes more servicing tools that can delay feature updates for up to 365 days. This servicing modal is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately.
+Once the latest release went through pilot deployment and testing, you choose the timing at which it goes into broad deployment.
 
-In the CB servicing model, feature updates are available as soon as Microsoft releases them. Windows 10 version 1511 had few servicing tool options to delay CB feature updates, limiting the use of the CB servicing branch. Windows 10 version 1607, however, includes more servicing tools that can delay CB feature updates for up to 180 days. The CB servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately.
-
-When Microsoft officially releases a feature update for Windows 10, that update is marked for CB, making it available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer CB feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for CB will be available but not necessarily immediately mandatory, depending on the policy of the management system. Only one CB build of Windows is supported at a time, so those clients not on the most current build will not receive quality updates (after a 60 day grace period) until the most current feature update has been installed. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
-
-
- ### Current Branch for Business
-
-Organizations typically prefer to have a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the CBB servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just at a later time. CB releases are transitioned to CBB after about 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both of these branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Each feature update release will be supported and updated for 18 months from the time of its release.
+When Microsoft officially releases a feature update for Windows 10, it is made available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
 
+Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases, while after about 4 months, we will announce broad deployment readiness, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Each feature update release will be supported and updated for 18 months from the time of its release
 
 >[!NOTE]
->Organizations can electively delay CB and CBB updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
+>Organizations can electively delay feature updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
 
-Basically, CBB is a configuration state, meaning that if a computer has the **Defer Updates and Upgrades** flag enabled—either through Group Policy, a mobile device management product like Microsoft Intune, or manually on the client—it’s considered to be in the CBB servicing branch. The benefit of tying this servicing model and CB to a configuration state rather than a SKU is that they are easily interchangeable. If an organization accidentally selects CBB on a machine that doesn’t need delayed updates, it’s simple to change it back. 
+### Long-term Servicing Channel
 
-### Long-term Servicing Branch
-
-Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSB servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
+Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
 
 >[!NOTE]
->LTSB is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices.  As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the CB or CBB servicing branch.
+>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
+>
+>Long-term Servicing channel is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices.  As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel.
 
-Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSB releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
+Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
 
 >[!NOTE]
 >Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
 
-LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSB model primarily for specialized devices. Since Windows Store client is not available in Windows 10 Enterprise LTSB, if you need to run a Windows Store app, you should not use Windows 10 LTSB on that device.
+The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSC model primarily for specialized devices.
 
 >[!NOTE]
->If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the CB or CBB servicing branch, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports CB and CBB.
+>If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel.
 
 ### Windows Insider
 
-For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation. 
+For many IT pros, gaining visibility into feature updates early—before they’re available to the Semi-Annual Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next Semi-Annual Channel release. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
 
 Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](waas-windows-insider-for-business.md).
 
 >[!NOTE]
 >Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app. 
 >
->The Windows Insider Program isn’t intended to replace CB deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. 
+>The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. 
 
 
 
@@ -143,8 +153,8 @@ Microsoft recommends that all organizations have at least a few PCs enrolled in
 
 There are many tools with which IT pros can service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates:
 
-- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the CBB servicing branch. Organizations can control which devices defer updates and stay in the CBB servicing branch or remain in CB by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 client.
-- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes a little more control over update deferment and provides centralized management using Group Policy. In Windows 10 version 1511, Windows Update for Business can be used to defer feature updates for up to 8 months and quality updates for up to 4 weeks. Also, these deferment options were available only to clients in the CBB servicing branch. In Windows 10 version 1607 and later, Windows Update for Business can be used to defer feature updates for up to 180 days and quality updates for up to 30 days. These deployment options are available to clients in either the CB or CBB servicing branch. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
+- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 client.
+- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes control over update deferment and provides centralized management using Group Policy. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the Semi-Annual Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
 - **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready. 
 - **System Center Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. 
 
@@ -159,16 +169,19 @@ With all these options, which an organization chooses depends on the resources,
 | WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability |
 | Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options |
 
+>[!NOTE]
+>Due to [naming changes](#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+
 </br>
 
 ## Steps to manage updates for Windows 10
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | Learn about updates and servicing branches (this topic) |
+| ![done](images/checklistdone.png) | Learn about updates and servicing channels (this topic) |
 | ![to do](images/checklistbox.gif) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
@@ -185,12 +198,4 @@ With all these options, which an organization chooses depends on the resources,
 - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
 - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage device restarts after updates](waas-restart.md)
-
-
-
-
-
-
-
-
+- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 3a5f929896..8b85bf57aa 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Quick guide to Windows as a service
@@ -26,20 +27,22 @@ Some new terms have been introduced as part of Windows as a service, so you shou
 - **Feature updates** will be released twice per year, around March and September.  As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
 - **Quality updates** are released monthly, delivering both security and non-security fixes.  These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update.
 - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
-- **Servicing channels** allow organizations to choose when to deploy new features.  The Semi-Annual Channel receives feature updates twice per year.  The Long Term Servicing Channel, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years.
+- **Servicing channels** allow organizations to choose when to deploy new features. 
+    - The **Semi-Annual Channel** receives feature updates twice per year. 
+    - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years.
 - **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.  
 
 See [Overview of Windows as a service](waas-overview.md) for more information.
 
 ## Key Concepts
 
-Windows 10 gains new functionality with twice-per-year feature update releases.  Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure.  After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin.  The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
+Windows 10 gains new functionality with twice-per-year feature update releases.  Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure.  After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
 
 Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release. 
 
 Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version.  Each release is supported for a total of 10 years (five years standard support, five years extended support).  New releases are expected about every three years.
 
-See [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) for more information.
+See [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) for more information.
 
 ## Staying up to date
 
@@ -55,7 +58,7 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window
 
 ## Video: An overview of Windows as a service
 
-<iframe width="560" height="315" src="https://www.youtube.com/embed/MLc4-Suv0LU" frameborder="0" allowfullscreen></iframe> 
+<iframe width="560" height="315" src="https://www.youtube.com/embed/qSAsiM01GOU" frameborder="0" allowfullscreen></iframe> 
  
 ## Learn more
 
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 0b33aa08b4..807d2f4a3d 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ms.date: 07/05/2017
 ---
@@ -26,24 +26,24 @@ You can use Group Policy settings, mobile device management (MDM) or Registry (n
 
 In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified instllation time. 
 
-To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the instal**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installtion will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
+To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
 
 **Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
 
 While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur.
 
-For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
 
 ## Delay automatic reboot
 
-When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installtion:
+When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation:
 
 - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
 - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. 
 
 You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
 
-For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
 
 ## Configure active hours
 
@@ -57,7 +57,7 @@ Administrators can use multiple ways to set active hours for managed devices:
 
 - You can use Group Policy, as described in the procedure that follows.
 - You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
-- While not recommended, you can also configure active hours, as descrbied in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
+- While not recommended, you can also configure active hours, as described in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
 
 ### Configuring active hours with Group Policy
 
@@ -77,7 +77,7 @@ Any settings configured through Registry may conflict with any existing configur
 You should set a combination of the following registry values, in order to configure active hours.
 Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours.
 
-For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
 
 >[!NOTE]
 >To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
@@ -94,7 +94,7 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan
 
 ## Limit restart delays
 
-After an update is installed, Windows 10 attemtps automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
+After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
 
 ## Control restart notifications
 
@@ -123,7 +123,7 @@ To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](https:/
 
 ### Scheduled auto-restart warnings
 
-Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled a restart. You can also configure a configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
+Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
 
 To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**.
 
@@ -185,7 +185,7 @@ The following tables list registry values that correspond to the Group Policy se
 There are 3 different registry combinations for controlling restart behavior:
 
 - To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
-- To schedule a specific instllation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
+- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
 - To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. 
 
 ## Related topics
diff --git a/windows/deployment/update/waas-servicing-branches-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
similarity index 76%
rename from windows/deployment/update/waas-servicing-branches-windows-10-updates.md
rename to windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 43aade46a5..cddacc1917 100644
--- a/windows/deployment/update/waas-servicing-branches-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,15 +1,16 @@
 ---
-title: Assign devices to servicing branches for Windows 10 updates (Windows 10)
+title: Assign devices to servicing channels for Windows 10 updates (Windows 10)
 description: tbd
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
-# Assign devices to servicing branches for Windows 10 updates
+# Assign devices to servicing channels for Windows 10 updates
 
 
 **Applies to**
@@ -20,11 +21,13 @@ ms.author: daniha
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 >[!TIP]
->If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first.
+>If you're not familiar with the Windows 10 servicing or release channels, read [Servicing Channels](waas-overview.md#servicing-channels) first.
+>
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
 
-Current Branch is the default servicing branch for all Windows 10 devices except those with the long-term servicing branch edition installed. The following table shows the servicing branches available to each edition of Windows 10. 
+Semi-Annual Channel (Targeted) is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each edition of Windows 10. 
 
-| Windows 10 edition | Current branch (CB) | Current branch for business (CBB) | Long-term servicing branch (LTSB) | Insider Program |
+| Windows 10 edition | Semi-Annual Channel (Targeted) | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
 | --- | --- | --- | --- | --- |
 | Home | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
 | Pro | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
@@ -40,7 +43,12 @@ Current Branch is the default servicing branch for all Windows 10 devices except
 >[!NOTE]
 >The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 
-## Assign devices to Current Branch for Business
+## Assign devices to Semi-Annual Channel
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
 
 **To assign a single PC locally to CBB**
 
@@ -96,7 +104,7 @@ Enrolling devices in the Windows Insider Program is simple and requires only a M
 After enrolling your devices, you are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Insider level. The device receives the most recent Windows Insider build for the Insider level you select. 
 
 The options for Insider level are:
-- **Release Preview**: Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
+- **Release Preview**: Insiders on this level receive builds of Windows just before Microsoft releases them for Semi-Annual Channel. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
 - **Slow**: The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build.
 - **Fast**: This level is best for Insiders who would like to be the first to experience new builds of Windows, participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality. 
 
@@ -110,9 +118,9 @@ To prevent devices in your enterprise from being enrolled in the Insider Program
 - Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
 - MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
 
-## Switching branches
+## Switching channels
 
-During the life of a device, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
+During the life of a device, it may be necessary or desirable to switch between the available channels. Depending on the channel you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
 
 <table>
 <colgroup>
@@ -122,63 +130,63 @@ During the life of a device, it may be necessary or desirable to switch between
 </colgroup>
 <thead>
 <tr class="header">
-<th align="left">From this branch</th>
-<th align="left">To this branch</th>
+<th align="left">From this channel</th>
+<th align="left">To this channel</th>
 <th align="left">You need to</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left" rowspan="3">Windows Insider Program</td>
-<td align="left">Current Branch</td>
-<td align="left">Wait for the final Current Branch release.</td>
+<td align="left">Semi-Annual Channel (Targeted)</td>
+<td align="left">Wait for the final Semi-Annual Channel release.</td>
 </tr>
 <tr class="even">
-<td align="left">Current Branch for Business</td>
-<td align="left">Not directly possible, because Windows Insider Program devices are automatically upgraded to the Current Branch release at the end of the development cycle.</td>
+<td align="left">Semi-Annual Channel</td>
+<td align="left">Not directly possible, because Windows Insider Program devices are automatically upgraded to the Semi-Annual Channel (Targeted) release at the end of the development cycle.</td>
 </tr>
 <tr class="odd">
-<td align="left">Long-Term Servicing Branch</td>
+<td align="left">Long-Term Servicing Channel</td>
 <td align="left">Not directly possible (requires wipe-and-load).</td>
 </tr>
 <tr class="even">
-<td align="left" rowspan="3">Current Branch</td>
+<td align="left" rowspan="3">Semi-Annual Channel (Targeted)</td>
 <td align="left">Insider</td>
 <td align="left">Use the Settings app to enroll the device in the Windows Insider Program.</td>
 </tr>
 <tr class="odd">
-<td align="left">Current Branch for Business</td>
-<td align="left">Select the <strong>Defer upgrade</strong> setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.</td>
+<td align="left">Semi-Annual Channel</td>
+<td align="left">Select the <strong>Defer upgrade</strong> setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Semi-Annual Channel release.</td>
 </tr>
 <tr class="even">
-<td align="left">Long-Term Servicing Branch</td>
+<td align="left">Long-Term Servicing Channel</td>
 <td align="left">Not directly possible (requires wipe-and-load).</td>
 </tr>
 <tr class="odd">
-<td align="left" rowspan="3">Current Branch for Business</td>
+<td align="left" rowspan="3">Semi-Annual Channel</td>
 <td align="left">Insider</td>
 <td align="left">Use the Settings app to enroll the device in the Windows Insider Program.</td>
 </tr>
 <tr class="even">
-<td align="left">Current Branch</td>
-<td align="left">Disable the <strong>Defer upgrade</strong> setting, or move the device to a target group or flight that will receive the latest Current Branch release.</td>
+<td align="left">Semi-Annual Channel (Targeted)</td>
+<td align="left">Disable the <strong>Defer upgrade</strong> setting, or move the device to a target group or flight that will receive the latest Current Semi-Annual Channel release.</td>
 </tr>
 <tr class="odd">
-<td align="left">Long-Term Servicing Branch</td>
+<td align="left">Long-Term Servicing Channel</td>
 <td align="left">Not directly possible (requires wipe-and-load).</td>
 </tr>
 <tr class="even">
-<td align="left" rowspan="3">Long-Term Servicing Branch</td>
+<td align="left" rowspan="3">Long-Term Servicing Channel</td>
 <td align="left">Insider</td>
 <td align="left">Use media to upgrade to the latest Windows Insider Program build.</td>
 </tr>
 <tr class="odd">
-<td align="left">Current Branch</td>
-<td align="left">Use media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)</td>
+<td align="left">Semi-Annual Channel (Targeted)</td>
+<td align="left">Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.</td>
 </tr>
 <tr class="even">
-<td align="left">Current Branch for Business</td>
-<td align="left">Use media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.</td>
+<td align="left">Semi-Annual Channel</td>
+<td align="left">Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.</td>
 </tr>
 </tbody>
 </table>
@@ -195,10 +203,10 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | Assign devices to servicing branches for Windows 10 updates (this topic) |
+| ![done](images/checklistdone.png) | Assign devices to servicing channels for Windows 10 updates (this topic) |
 | ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index a53ddfc63c..c6cd1ca434 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -27,19 +27,21 @@ In the past, traditional Windows deployments tended to be large, lengthy, and ex
 
 Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
 
-- **Configure test devices.** Configure testing PCs in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Current Branch (CB) servicing branch. Typically, this would be a small number of test machines that IT staff members use to evaluate prereleased builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
-- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than CB or Current Branch for Business (CBB) can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. 
+- **Configure test devices.** Configure testing PCs in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-annual Channel. Typically, this would be a small number of test machines that IT staff members use to evaluate prereleased builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
+- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. 
 - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
 - **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
 - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). 
 
 >[!NOTE]
 >This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
+>
+>>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
 
 Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
 
 1.	**Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
-2.	**Pilot and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have pilot groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your pilot groups running in the CB servicing branch that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it. 
+2.	**Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it. 
 3.	**Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department. 
 
 
@@ -47,10 +49,10 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | Prepare servicing strategy for Windows 10 updates (this topic) |
 | ![to do](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
diff --git a/windows/deployment/update/waas-windows-insider-for-business-aad.md b/windows/deployment/update/waas-windows-insider-for-business-aad.md
index 9b9ebc28ce..9f3bfed774 100644
--- a/windows/deployment/update/waas-windows-insider-for-business-aad.md
+++ b/windows/deployment/update/waas-windows-insider-for-business-aad.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/deployment/update/waas-windows-insider-for-business-faq.md b/windows/deployment/update/waas-windows-insider-for-business-faq.md
index 4ad1cd7e3f..7115a9f6d5 100644
--- a/windows/deployment/update/waas-windows-insider-for-business-faq.md
+++ b/windows/deployment/update/waas-windows-insider-for-business-faq.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/deployment/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md
index 4a57a47307..333ee70f35 100644
--- a/windows/deployment/update/waas-windows-insider-for-business.md
+++ b/windows/deployment/update/waas-windows-insider-for-business.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 006e2e91e3..8e83c58fd6 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ms.date: 05/16/2017
 ---
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 5833d568ae..139a173b93 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -18,6 +18,11 @@ ms.author: daniha
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
 Using Group Policy to manage Windows Update for Business is simple and familiar: use the same Group Policy Management Console (GPMC) you use to manage other device and user policy settings in your environment. Before configuring the Windows Update for Business Group Policy settings, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. 
 
 In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch.
@@ -339,7 +344,7 @@ The **Ring 4 Broad business users** deployment ring has now been configured. Fin
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
index 8375a45ceb..5faa58e16a 100644
--- a/windows/deployment/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -19,6 +19,11 @@ ms.author: daniha
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
 You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. 
 
 Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build.
@@ -262,7 +267,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index 7df51a183e..81aed1c722 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Resolve Windows 10 upgrade errors : Technical information for IT Pros
@@ -686,9 +686,13 @@ The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DAT
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 
-[Analyze log files](#analyze-log-files) in order to determine the files that are blocking data migration. 
+[Analyze log files](#analyze-log-files) in order to determine the files or registry entires that are blocking data migration. 
 
-Note: This error can occur if Active Directory integrated user accounts exist on the computer, but these accounts are no longer present in Active Directory. To repair this error, delete the invalid accounts from the **Users** directory on the local computer and restart the upgrade process.
+This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory. 
+
+Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.
+
+To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.  
 
 </TABLE>
 </TD>
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index fa59c94780..c3ef73e060 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -13,11 +13,11 @@ author: greg-lindsay
 To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
 
 >[!IMPORTANT]
->Upgrade Readiness was previously called Upgrade Analytics.  References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
+>Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
 
 For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
 
-> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, please download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
+> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
 
 The Upgrade Readiness deployment script does the following:
 
@@ -31,7 +31,7 @@ The Upgrade Readiness deployment script does the following:
 
 To run the Upgrade Readiness deployment script:
 
-1.  Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly.  Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+1.  Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
 
 2.  Edit the following parameters in RunConfig.bat:
 
@@ -66,7 +66,7 @@ To run the Upgrade Readiness deployment script:
     \*vortex\*.data.microsoft.com<BR>
     \*settings\*.data.microsoft.com
 
-5.  After you finish editing the parameters in RunConfig.bat, you are ready to run the script.  If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+5.  After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
 
 The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
 
@@ -81,7 +81,7 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
     <tr>
         <td>1 - Unexpected error occurred while executiEng the script.</td>
-        <td> The files in the deployment script are likely corrupted.  Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.</td>
+        <td> The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.</td>
     </tr>
     <tr>
         <td>2 - Error when logging to console. $logMode = 0.<BR>(console only)</td>
@@ -132,15 +132,16 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
     <tr>
         <td>13 - Can’t connect to Microsoft - setting. </td>
-        <td>An error occurred connecting to  https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness.  To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).</td>
+        <td>An error occurred connecting to  https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. 
+14 </td>
     </tr>
     <tr>
         <td>14 - Can’t connect to Microsoft - compatexchange.</td>
-        <td>An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc . This error will prevent the collected data from being sent to Upgrade Readiness.  To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).</td>
+        <td>An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).</td>
     </tr>
     <tr>
         <td>15 - Function CheckVortexConnectivity failed with an unexpected exception.</td>
-        <td>This error will prevent the collected data from being sent to Upgrade Readiness.  To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.</td>
+        <td>This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.</td>
     </tr>
     <tr>
         <td>16 - The computer requires a reboot before running the script.</td>
@@ -196,10 +197,10 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
     <tr>
         <td>29 - Connectivity check failed for proxy authentication. </td>
-        <td>Install the cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
+        <td>Instal cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
             <BR>The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.  
             <BR>For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). 
-            <BR>For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).</td>
+            <BR>For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688).</td>
     </tr>
     <tr>
         <td>30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.</td>
@@ -209,7 +210,7 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
     <tr>
         <td>31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. </td>
-        <td>Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script.  The Upgrade Readiness task is scheduled to run daily at 3 a.m.</td>
+        <td>Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.</td>
     </tr>
     <tr>
         <td>32 - Appraiser version on the machine is outdated. </td>
@@ -217,7 +218,7 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
     <tr>
         <td>33 - **CompatTelRunner.exe** exited with an exit code </td>
-        <td>**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Please check the logs for more details.</td>
+        <td>**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow.</td>
     </tr>
     <tr>
         <td>34 - Function **CheckProxySettings** failed with an unexpected exception. </td>
@@ -278,7 +279,49 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
 <tr>
         <td>48 - **CommercialID** mentioned in RunConfig.bat should be a GUID.</td>
-        <td>**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace.  To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.</td>
+        <td>**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.</td>
+    </tr>
+<tr>
+        <td>50 - Diagtrack Service is not running.</td>
+        <td>Diagtrack Service is required to send data to Microsoft. Enable and run the 'Connected User Experiences and Telemetry' service. </td>
+    </tr>
+<tr>
+        <td>51 - RunCensus failed with an unexpected exception.</td>
+        <td>RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details. </td>
+    </tr>
+<tr>
+        <td>52 - DeviceCensus.exe not found on a Windows 10 machine.</td>
+        <td>On computers running Windows 10, the process devicecensus.exe should be present in the <windows directory>\system32 folder. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. </td>
+    </tr>
+<tr>
+        <td>53 - There is a different CommercialID present at the GPO path:  "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection". This will take precedence over the CommercialID provided in the script.</td>
+        <td>Provide the correct CommercialID at the GPO location. </td>
     </tr>
 </table>
 
+>[!NOTE]
+>**Additional steps to follow if you receive exit code 33**
+
+>Check the exit code for any of these messages:
+>
+>- CompatTelRunner.exe exited with last error code: 0x800703F1 
+>- CompatTelRunner.exe exited with last error code: 0x80070005 
+>- CompatTelRunner.exe exited with last error code: 0x80080005
+> 
+>
+>If the exit code includes any of those messages, then run these commands from an elevated command prompt:
+>
+>1. Net stop diagtrack
+>2. Net stop pcasvc
+>3. Net stop dps
+>4. Del %windir%\appcompat\programs\amcache.hve
+>5. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v AmiHivePermissionsCorrect /f
+>6. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v LogFlags /t REG_DWORD /d 4 /f
+>7. Net start diagtrack
+>8. Net start pcasvc
+>9. Net start dps
+>
+>Then run the Enterprise Config script (RunConfig.bat) again. 
+>
+>If the script still fails, then send mail to **uasupport@microsoft.com** including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **<system drive>\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well.
+
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index 937be3b7e3..29a27310e4 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
-author: greg-lindsay
+author: jaimeo
 ---
 
 # Get started with Upgrade Readiness
@@ -43,7 +43,7 @@ Upgrade Readiness is offered as a solution in the Microsoft Operations Managemen
 >[!IMPORTANT]
 >Upgrade Readiness is a free solution.  When configured correctly, all data associated with the Upgrade Readiness solution are exempt from billing in both OMS and Azure.  Upgrade Readiness data **do not** count toward OMS daily upload limits.
 
-If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace.
+If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
 
 If you are not using OMS:
 
@@ -54,9 +54,9 @@ If you are not using OMS:
 
     > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
 
-1.  To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness.
+5.  To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness.
 
-2.  Click the **Upgrade Readiness** tile to configure the solution. The **Settings Dashboard** opens.
+6.  Click the **Upgrade Readiness** tile to configure the solution. The **Settings Dashboard** opens.
 
 ### Generate your commercial ID key
 
@@ -64,7 +64,7 @@ Microsoft uses a unique commercial ID to map information from user computers to
 
 1.  On the Settings Dashboard, navigate to the **Windows telemetry** panel.
 
-    ![upgrade-readiness-telemetry](../images/upgrade-analytics-telemetry.png)
+    ![Windows Telemetry dialog showing button for "how to enable telemetry," the current commercial ID key, and a Subsribe button](../images/upgrade-analytics-telemetry.png)
 
 2. On the Windows telemetry panel, copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Readiness deployment script later so it can be deployed to user computers.
 
@@ -138,7 +138,7 @@ To ensure that user computers are receiving the most up to date data from Micros
 - Schedule the Upgrade Readiness deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. 
 - Schedule monthly user computer scans to view monthly active computer and usage information.
 
->When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas are created when the update package is installed. A full scan averages to about 2 MB, but the delta scans are very small. For Windows 10 devices, its already part of the OS. This is the **Windows Compat Appraiser** task. Deltas are invoked via the nightly scheduled task.  It attempts to run around 3AM, but if system is off at that time, the task will run when the system is turned on. 
+>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas is created when the update package is installed. For Windows 10 devices, it's already part of the OS. A full scan averages about 2 MB, but the delta scans are very small. The scheduled task is named **Windows Compatibility Appraiser** and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Deltas are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on. 
 
 ### Distribute the deployment script at scale
 
diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md
index eb98ebd2cf..687130e800 100644
--- a/windows/deployment/upgrade/upgrade-readiness-requirements.md
+++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md
@@ -30,7 +30,7 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1
 Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
 The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed.  You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). 
 
-Windows 10 LTSB is not supported by Upgrade Readiness. The LTSB (long term servicing branch) of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness.  See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-branch) to understand more about LTSB.
+Windows 10 LTSB is not supported by Upgrade Readiness. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness.  See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSB.
 
 ## Operations Management Suite
 
diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
index 9ca055c5f5..731feea00e 100644
--- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
+++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
@@ -2,7 +2,7 @@
 title: Upgrade Readiness - Resolve application and driver issues (Windows 10)
 description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness.
 ms.prod: w10
-author: greg-lindsay
+author: jaimeo
 ---
 
 # Upgrade Readiness - Step 2: Resolve app and driver issues
@@ -14,8 +14,8 @@ This section of the Upgrade Readiness workflow reports application and driver in
 The blades in the **Step 2: Resolve issues** section are:
 
 - [Review applications with known issues](#review-applications-with-known-issues)
-- [Review applications with no known issues](#review-applications-with-no-known-issues)
 - [Review known driver issues](#review-known-driver-issues)
+- [Review low-risk apps and drivers](#review-low-risk-apps-and-drivers)
 - [Prioritize app and driver testing](#prioritize-app-and-driver-testing)
 
 >You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
@@ -48,7 +48,7 @@ To change an application's upgrade decision:
 4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
 5. Click **Save** when finished.  
 
-IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
+IMPORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
 
 For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible.
 
@@ -107,26 +107,6 @@ The following table lists possible values for **ReadyForWindows** and what they
 |Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.|
 | Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A |
 
-## Review applications with no known issues
-
-Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
-
-![Review applications with no known issues](../images/upgrade-analytics-apps-no-known-issues.png)
-
-Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
-
-Be sure to review low install count applications for any business critical or important applications that may not yet be upgrade-ready, despite their low installation rates. 
-
-To change an application's upgrade decision:
-
-1. Select **Decide upgrade readiness** to view applications with issues. Select **Table** to view the list in a table. 
-
-2. Select **User changes** to change the upgrade decision for each application.
-
-3. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
-
-4. Click **Save** when finished.  
-
 ## Review drivers with known issues
 
 Drivers that won’t migrate to the new operating system are listed, grouped by availability.
@@ -152,9 +132,30 @@ To change a driver’s upgrade decision:
 
 4.  Click **Save** when finished.
 
+## Review low-risk apps and drivers
+
+Applications and drivers that are meet certain criteria to be considered low risk are displayed on this blade.
+
+![Blade showing low-risk apps](../images/ua-step2-low-risk.png)
+
+The first row reports the number of your apps that have an official statement of support on Windows 10 from the software vendor, so you can be confident that they will work on your target operating system.
+
+The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in telemetry. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well.
+
+Each row of the blade uses a different criterion to filter your apps or drivers. You can view a list of applications that meet the criterion by clicking into a row of the blade. For example, if you click the row that says "Apps that are 'Highly adopted'", the result is a list of apps that have a ReadyForWindows status of "Highly adopted". From here, you can bulk-select the results, select **Ready to upgrade**, and then click **Save**.  This will mark all apps meeting the "Highly adopted" criterion as "Ready to upgrade"--no further validation is required. Any applications that you have marked as *Mission critical* or *Business critical* are filtered out, as well as any app that has an issue known to Microsoft. This allows you to work with apps in bulk without having to worry about missing a critical app.
+
+You can customize the criteria further by using the Log Search query language. For example, if a ReadyForWindows status of "Adopted" is not sufficient by itself for you to be confident in an app's compatibility, you can add additional filters. To do this, click the row labeled **Apps that are 'Adopted'**.  Then, modify the resulting query to fit your company's risk tolerance. If, for example, you prefer that an app must be "Adopted" and have fewer than 1,000 installations, then add *TotalInstalls < 1000* to the end of the Log Search query. Similarly, you can append additional criteria by using other attributes such as monthly active users or app importance.
+
+>[!NOTE]
+>Apps that you have designated as *Mission critical* or *Business critical* are automatically **excluded** from the counts on this blade. If an app is critical, you should always validate it manually it prior to upgrading.
+
+ At the bottom of the blade, the **OTHER APPS AND DRIVERS IN NEED OF REVIEW** section allows you to quickly access apps you have designated as **Mission critical** or **Business critical**, your remaining apps that still need to be reviewed, and your remaining drivers that need to be reviewed.
+
+
+
 ## Prioritize app and driver testing
 
-Planning and executing an OS upgrade project can be overwhelming.  When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan.   
+Planning and executing an OS upgrade project can be overwhelming. When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan.   
 
 ### Proposed action plan
 
diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
index bbbb2a155d..860f86c5bb 100644
--- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
+++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
@@ -9,7 +9,7 @@ author: greg-lindsay
 
 The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
 
-The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version.  For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md).
+The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version.  For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version).
 
 The following color-coded status changes are reflected on the upgrade overview blade:
 
@@ -32,7 +32,7 @@ The following color-coded status changes are reflected on the upgrade overview b
     - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
     - If the current value is a deprecated OS version, the version is displayed in red.
 
-Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
+Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](upgrade-readiness-get-started.md#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
 
 In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
 
@@ -65,4 +65,4 @@ Select **Total applications** for a list of applications discovered on user comp
 -   Percentage of computers in your total computer inventory that opened the application in the past 30 days
 -   Issues detected, if any
 -   Upgrade assessment based on analysis of application data
--   Rollup level
\ No newline at end of file
+-   Rollup level
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index 16a4afb7a6..f0e227a621 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -4,7 +4,7 @@ description: The simplest path to upgrade PCs currently running Windows 7, Wind
 ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
 keywords: upgrade, update, task sequence, deploy
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 author: mtniehaus
 ---
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 1f11512559..85e7a02389 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -5,7 +5,7 @@ ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
 keywords: upgrade, update, task sequence, deploy
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md
index 311e03efba..1a3d373bbe 100644
--- a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md
+++ b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md
@@ -4,7 +4,7 @@ description: This article describes how to upgrade eligible Windows Phone 8.1 de
 keywords: upgrade, update, windows, phone, windows 10, mdm, mobile
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: Jamiejdt
diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
index 85acab5a0a..e074aad404 100644
--- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
+++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
@@ -2,7 +2,7 @@
 title: Use Upgrade Readiness to manage Windows upgrades (Windows 10)
 description: Describes how to use Upgrade Readiness to manage Windows upgrades.
 ms.prod: w10
-author: greg-lindsay
+author: jaimeo
 ---
 
 # Use Upgrade Readiness to manage Windows upgrades
@@ -14,7 +14,7 @@ You can use Upgrade Readiness to prioritize and work through application and dri
 
 When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks. 
 
-<A HREF="../images/ua-cg-15.png">![Workflow](../images/ua-cg-15.png)</A>
+<A HREF="../images/ua-cg-15.png">![Series of blades showing Upgrade Overview, Step 1: Identify Important Apps, Prioritize Applications, Step 2: Resolve issues, and Review applications with known issues](../images/ua-cg-15.png)</A>
 
 Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step.
 
@@ -35,20 +35,20 @@ Also see the following topic for information about additional items that can be
 
 The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example:
 
-![Target version](../images/ur-target-version.png)
+![Upgrade overview showing target version](../images/ur-target-version.png)
 
 As mentioned previously, the default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. 
 
 The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version.
 
-You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1607.
+You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, and Windows 10 version 1703.
 
 To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
 
-![Target version](../images/ua-cg-08.png)
+![Upgrade Readiness dialog showing gear labeled Solution Settings](../images/ua-cg-08.png)
 
 >You must be signed in to Upgrade Readiness as an administrator to view settings.
 
 On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
 
-![Target version](../images/ur-settings.png)
+![Upgrade Readiness Settings dialog showing gear labeled Save and arrow labeled Cancel](../images/ur-settings.png)
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 3fb9bda5d9..e98e9e3167 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -4,7 +4,7 @@ description: With Windows 10, you can quickly upgrade from one edition of Windo
 ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mobile
 author: greg-lindsay
@@ -21,8 +21,8 @@ With Windows 10, you can quickly upgrade from one edition of Windows 10 to ano
 The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. 
 
 X = unsupported <BR>
-✔ (green) = supported; reboot required<BR>
-✔ (blue) = supported; no reboot required. 
+&#x2714; (green) = supported; reboot required<BR>
+&#x2714; (blue) = supported; no reboot required
 
 
 |Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise |
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 195aaaa374..7b48b01727 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -4,7 +4,7 @@ description: You can upgrade to Windows 10 from a previous version of Windows if
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 ms.pagetype: mobile
 author: greg-lindsay
 ---
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
new file mode 100644
index 0000000000..a6f560cc33
--- /dev/null
+++ b/windows/deployment/vda-subscription-activation.md
@@ -0,0 +1,89 @@
+---
+title: Configure VDA for Windows 10 Subscription Activation
+description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+ms.date: 08/23/2017
+author: greg-lindsay
+---
+
+# Configure VDA for Windows 10 Subscription Activation
+
+This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
+
+## Requirements
+
+- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later.
+- VMs must be Active Directory-joined or Azure Active Directory-joined.
+- VMs must be generation 1.
+- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+
+## Active Directory-joined VMs
+
+1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image)
+2. (Optional) To disable network level authentication, type the following at an elevated command prompt:
+
+    ```
+    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
+    ```
+
+3. At an elevated command prompt, type **sysdm.cpl** and press ENTER.
+4. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**.
+5. Click **Add**, type **Authenticated users**, and then click **OK** three times.
+6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd).
+7. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
+8. Open Windows Configuration Designer and click **Provison desktop services**.
+9. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. 
+    - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step.
+10. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
+11. On the Set up network page, choose **Off**.
+12. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
+    - Note: This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
+13. On the Add applications page, add applications if desired. This step is optional.
+14. On the Add certificates page, add certificates if desired. This step is optional.
+15. On the Finish page, click **Create**.
+16. In file explorer, double-click the VHD to mount the disk image. Determine the drive letter of the mounted image.
+17. Type the following at an elevated commnand prompt. Replace the letter **G** with the drive letter of the mounted image, and enter the project name you used if it is different than the one suggested:
+
+    ```
+    Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg"
+    ```
+18. Right-click the mounted image in file explorer and click **Eject**.
+19. See instructions at [Upload and create VM from generalized VHD](https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image.
+
+## Azure Active Directory-joined VMs
+
+>[!IMPORTANT]
+>Azure Active Directory (Azure AD) provisioning packages have a 30 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 30 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated.
+
+For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
+- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
+- In step 12, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials.
+- In step 17, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**)
+- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below.
+
+To create custom RDP settings for Azure:
+
+1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host.
+2. Click **Show Options**, and then under Connection settings click **Save As** and save the RDP file to the location where you will use it.
+3. Close the Remote Desktop Connection window and open Notepad.
+4. Drag the RDP file into the Notepad window to edit it.
+5. Enter or replace the line that specifies authentication level with the following two lines of text:
+
+    ```text
+    enablecredsspsupport:i:0
+    authentication level:i:2
+    ```
+6. **enablecredsspsupport** and **authentication level** should each appear only once in the file.
+7. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM.
+
+## Related topics
+
+[Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md)
+<BR>[Recommended settings for VDI desktops](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
+<BR>[Licensing the Windows Desktop for VDI Environments](http://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf)
+
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 0a6428d6c9..095d461e1e 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: greg-lindsay
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Activate using Active Directory-based activation
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 9b9225de42..57fdf3e0a6 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Activate using Key Management Service
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index acf1786ec8..2a3c80b8b2 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Activate clients running Windows 10
diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
index 1ea07efda6..ca6ec523b8 100644
--- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 # Appendix: Information sent to Microsoft during activation
 **Applies to**
diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md
index 3c4cd55263..d141c48130 100644
--- a/windows/deployment/volume-activation/install-configure-vamt.md
+++ b/windows/deployment/volume-activation/install-configure-vamt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Install and Configure VAMT
diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
index 5a296869a0..1aecc1fd56 100644
--- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md
+++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Install a KMS Client Key
diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md
index 0418bd6a7c..623f14c7bd 100644
--- a/windows/deployment/volume-activation/install-product-key-vamt.md
+++ b/windows/deployment/volume-activation/install-product-key-vamt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Install a Product Key
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 767086f01e..f20fa8522a 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Install VAMT
diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md
index 215c706ab1..ffe55fe3ad 100644
--- a/windows/deployment/volume-activation/monitor-activation-client.md
+++ b/windows/deployment/volume-activation/monitor-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: greg-lindsay
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Monitor activation
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 93bf083b08..37335d3504 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Plan for volume activation
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index 0322aa4208..b81e84356d 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Use the Volume Activation Management Tool
diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md
index a9746eeb19..d7cc0b2c2a 100644
--- a/windows/deployment/volume-activation/volume-activation-windows-10.md
+++ b/windows/deployment/volume-activation/volume-activation-windows-10.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Volume Activation for Windows 10
diff --git a/windows/deployment/windows-10-auto-pilot.md b/windows/deployment/windows-10-auto-pilot.md
index 7413ecc71c..4bcaef04a8 100644
--- a/windows/deployment/windows-10-auto-pilot.md
+++ b/windows/deployment/windows-10-auto-pilot.md
@@ -1,10 +1,10 @@
 ---
 title: Overview of Windows AutoPilot
-description: This topic goes over Auto-Pilot and how it helps setup OOBE Windows 10 devices.
+description: This topic goes over Windows AutoPilot and how it helps setup OOBE Windows 10 devices.
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: deploy
 author: DaniHalfin
@@ -19,21 +19,21 @@ ms.date: 06/30/2017
 -   Windows 10
 
 Windows AutoPilot is a collection of technologies used to setup and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.</br>
-This solution enables the IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
+This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
 
 ## Benefits of Windows AutoPilot
 
-Traditionally, IT Pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach.
+Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach.
 
 From the users' perspective, it only takes a few simple operations to make their device ready to use. 
 
-From the IT Pros' perspective, the only interaction required from the end-user, is to connect to a network and to verify their credentials. Everything past that is automated.
+From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated.
 
 Windows AutoPilot allows you to:
-* Automatically join devices to Azure Active Directory
-* Auto-enroll devices into MDM services, such as Intune ([*Requires an Azure AD Premium subscription*](#prerequisites))
+* Automatically join devices to Azure Active Directory (Azure AD)
+* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites))
 * Restrict the Administrator account creation
-* Create and auto-assign devices to configuration groups based on the devices' profile
+* Create and auto-assign devices to configuration groups based on a device's profile
 * Customize OOBE content specific to the organization
 
 ### Prerequisites
@@ -41,7 +41,7 @@ Windows AutoPilot allows you to:
 * [Devices must be registered to the organization](#registering-devices-to-your-organization)
 * Devices have to be pre-installed with Windows 10, version 1703 or later
 * Devices must have access to the internet
-* [Azure AD premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
+* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
 * Microsoft Intune or other MDM services to manage your devices
 
 ## Windows AutoPilot Scenarios
@@ -55,9 +55,9 @@ The Cloud-Driven scenario enables you to pre-register devices through the Window
 The end user unboxes and turns on a new device. What follows are a few simple configuration steps:
 * Select a language and keyboard layout
 * Connect to the network
-* Provide email address (the email of the user's Azure Active Directory account) and password
+* Provide email address (the email address of the user's Azure AD account) and password
 
-Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure Active Directory, enrolled in Microsoft Intune (or any other MDM service).
+Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service).
 
 MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date.
 
@@ -68,19 +68,15 @@ MDM enrollment ensures policies are applied, apps are installed and setting are
 
 In order to register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. 
 
-If you would like to capture that information by yourself, the following PowerShell script will generate a text file with the device's hardware ID.
+If you would like to capture that information by yourself, you can use the [Get-WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo), which will generate a .csv file with the device's hardware ID.
 
-```PowerShell
-$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'"
-$wmi.DeviceHardwareData | Out-File "$($env:COMPUTERNAME).txt"
-```
 >[!NOTE]
->This PowerShell script requires elevated permissions. The output format might not fit the upload method. Check out the Microsoft Store for Business or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) for additional guidance.
+>This PowerShell script requires elevated permissions.
 
 By uploading this information to the Microsoft Store for Business or Partner Center admin portal, you'll be able to assign devices to your organization.
 Additional options and customization is available through these portals to pre-configure the devices.
 
-Options available for Windows 10, Version 1703:
+Options available for Windows 10, version 1703:
 * Skipping Work or Home usage selection (*Automatic*)
 * Skipping OEM registration, OneDrive and Cortana (*Automatic*)
 * Skipping privacy settings
@@ -88,19 +84,19 @@ Options available for Windows 10, Version 1703:
 
 We are working to add additional options to further personalize and streamline the setup experience in future releases.
 
-To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for Microsoft Store for Business or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot).
+To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot).
 
 ### IT-Driven
 
-If you are planning to use to configure these devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with WCD, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
+If you are planning to use to configure these devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
 
 ### Teacher-Driven
 
-If you're an IT Pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details.
+If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details.
 
 ## Ensuring your device can be auto-enrolled to MDM
 
-In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Intune, please follow [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details.
+In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details.
 
 >[!NOTE]
->MDM Auto-enrollment requires an Azure AD Premium P1 or P2 subscription.
\ No newline at end of file
+>MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription.
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 9c89248ded..242f5aa4e7 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -5,7 +5,7 @@ ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
 keywords: upgrade, in-place, configuration, deploy
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index 2a08717439..d6f852cae5 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -10,50 +10,14 @@ author: greg-lindsay
 
 # Windows 10 deployment tools
 
-
 Learn about the tools available to deploy Windows 10.
 
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Windows 10 deployment tools reference](windows-deployment-scenarios-and-tools.md)</p></td>
-<td align="left"><p>To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)</p></td>
-<td align="left"><p>The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)</p></td>
-<td align="left"><p>The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)</p></td>
-<td align="left"><p>The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
-
-
-
-
+|Topic |Description |
+|------|------------|
+|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. |
+|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
+|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
+|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
+|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
new file mode 100644
index 0000000000..d6f852cae5
--- /dev/null
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -0,0 +1,23 @@
+---
+title: Windows 10 deployment tools (Windows 10)
+description: Learn about the tools available to deploy Windows 10.
+ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: greg-lindsay
+---
+
+# Windows 10 deployment tools
+
+Learn about the tools available to deploy Windows 10.
+
+|Topic |Description |
+|------|------------|
+|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. |
+|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
+|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
+|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
+|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 5e807ab7d6..5f663ae222 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -1,21 +1,21 @@
 ---
-title: Windows 10 Enterprise E3 in CSP overview
+title: Windows 10 Enterprise E3 in CSP
 description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition.
 keywords: upgrade, update, task sequence, deploy
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 
-# Windows 10 Enterprise E3 in CSP overview
+# Windows 10 Enterprise E3 in CSP
 
 Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following:
 
 -   Windows 10 Pro, version 1607 (also known as Windows 10 Anniversary Update) or later installed on the devices to be upgraded
-
 -   Azure Active Directory (Azure AD) available for identity management
 
 Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro.
@@ -134,151 +134,9 @@ Windows 10 Enterprise edition has a number of features that are unavailable in
 </tbody>
 </table>
 
-## Preparing for deployment of Windows 10 Enterprise E3 licenses
+## Deployment of Windows 10 Enterprise E3 licenses
 
-You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 licenses to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD.
-
-You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
-
-**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
-
-![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png)
-
-**Figure 1. On-premises AD DS integrated with Azure AD**
-
-For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
-
--   [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/)
--   [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
-
-### Preparing for deployment: reviewing requirements
-
-Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
-
-<!-- Watch the preceding link if you divide this into multiple topics. -->
-
-## Explore the upgrade experience
-
-Now that your subscription has been established (by the partner who you work with) and Windows 10 Enterprise E3 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1607 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices?
-
-### Step 1: Join users’ devices to Azure AD
-
-Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607.
-
-**To join a device to Azure AD the first time the device is started**
-
-1.  During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
-
-    <img src="images/enterprise-e3-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
-    
-    **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
-
-2.  On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
-
-    <img src="images/enterprise-e3-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
-    
-    **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
-
-3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
-
-    <img src="images/enterprise-e3-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
-    
-    **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
-
-Now the device is Azure AD joined to the company’s subscription.
-
-**To join a device to Azure AD when the device already has Windows 10 Pro, version 1607 installed and set up**
-
-1.  Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 5**.
-
-    <img src="images/enterprise-e3-connect-to-work-or-school.png" alt="Connect to work or school configuration" width="624" height="482" />
-    
-    **Figure 5. Connect to work or school configuration in Settings**
-
-2.  In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
-
-    <img src="images/enterprise-e3-set-up-work-or-school.png" alt="Set up a work or school account" width="624" height="603" />
-    
-    **Figure 6. Set up a work or school account**
-
-3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
-
-    <img src="images/enterprise-e3-lets-get-2.png" alt="Let's get you signed in - dialog box" width="624" height="603" />
-    
-    **Figure 7. The “Let’s get you signed in” dialog box**
-
-Now the device is Azure AD joined to the company’s subscription.
-
-### Step 2: Sign in using Azure AD account
-
-Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
-
-<img src="images/enterprise-e3-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
-
-**Figure 8. Sign in by using Azure AD account**
-
-### Step 3: Verify that Enterprise edition is enabled
-
-You can verify the Windows 10 Enterprise E3 subscription in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 9**.
-
-<span id="win-10-activated-subscription-active"/>
-#### Figure 9 - Windows 10 Enterprise E3 subscription in Settings 
-
-<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt="Windows 10 activated and subscription active" width="624" height="407" />
-
-If there are any problems with the Windows 10 Enterprise E3 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
-## Troubleshoot the user experience
-
-In some instances, users may experience problems with the Windows 10 Enterprise E3 subscription. The most common problems that users may experience are as follows:
-
--   The existing Windows 10 Pro, version 1607 operating system is not activated.
-
--   The Windows 10 Enterprise E3 subscription has lapsed or has been removed.
-
-Use the following figures to help you troubleshoot when users experience these common problems:
-
-- [Figure 9](#win-10-activated-subscription-active) illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Enterprise E3 subscription is active.
-
-- [Figure 10](#win-10-not-activated) illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Enterprise E3 subscription is active.
-
-- [Figure 11](#subscription-not-active) illustrates a device on which Windows 10 Pro, version 1607 is activated, but the Windows 10 Enterprise E3 subscription is lapsed or removed.
-
-- [Figure 12](#win-10-not-activated-subscription-not-active) illustrates a device on which Windows 10 Pro, version 1607 license is not activated and the Windows 10 Enterprise E3 subscription is lapsed or removed.
-
-<span id="win-10-not-activated"/>
-### Figure 10 - Windows 10 Pro, version 1607 edition not activated in Settings
-
-<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt="Windows 10 not activated and subscription active" width="624" height="407" /><br><br>
-
-<span id="subscription-not-active"/>
-### Figure 11 - Windows 10 Enterprise E3 subscription lapsed or removed in Settings
-
-<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt="Windows 10 activated and subscription not active" width="624" height="407" /><br><br>
-
-<span id="win-10-not-activated-subscription-not-active"/>
-### Figure 12 - Windows 10 Pro, version 1607 edition not activated and Windows 10 Enterprise E3 subscription lapsed or removed in Settings
-
-<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt="Windows 10 not activated and subscription not active" width="624" height="407" /><br><br>
-
-### Review requirements on devices
-
-Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
-
-**To determine if a device is Azure Active Directory joined:**
-
-1.  Open a command prompt and type **dsregcmd /status**.
-
-2.  Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
-
-**To determine the version of Windows 10:**
-
--   At a command prompt, type:
-    **winver**
-
-    A popup window will display the Windows 10 version number and detailed OS build information.
-
-    If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
+See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
 
 ## Deploy Windows 10 Enterprise features
 
@@ -389,8 +247,7 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition f
 
 ## Related topics
 
-[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
-
-[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
-
-[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
+[Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md)
+<BR>[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
+<BR>[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+<BR>[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md
new file mode 100644
index 0000000000..c767d18075
--- /dev/null
+++ b/windows/deployment/windows-10-enterprise-subscription-activation.md
@@ -0,0 +1,128 @@
+---
+title: Windows 10 Subscription Activation
+description: How to enable Windows 10 Enterprise E3 and E5 subscriptions
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+ms.date: 08/23/2017
+author: greg-lindsay
+---
+
+# Windows 10 Subscription Activation
+
+With Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.md) in your organization can now be accomplished with no keys and no reboots.
+
+ If you are running Windows 10 version 1703 or later:
+
+- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise.
+- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions.
+
+Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-whatis).
+
+See the following topics in this article:
+- [Requirements](#requirements): Prerequisites to use the Windows 10 Enterprise subscription model.
+- [Benefits](#benefits): Advantages of Windows 10 Enterprise + subscription-based licensing.
+- [How it works](#how-it-works): A summary of the subscription-based licensing option.
+- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud.
+
+For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
+
+## Requirements
+
+For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: 
+
+- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded
+- Azure Active Directory (Azure AD) available for identity management
+- Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported.
+
+For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3 or E5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
+
+If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
+
+## Benefits
+
+With Windows 10 Enterprise, businesses can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise E3 or E5 to their users. Now, with Windows 10 Enterprise E3 and E5 being available as a true online service, it is available in every channel thus allowing all organizations to take advantage of enterprise grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following:
+
+- [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)
+- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing)
+
+You can benefit by moving to Windows as an online service in the following ways:
+
+1. Licenses for Windows 10 Enterprise are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
+2. Azure AD logon triggers a silent edition upgrade, with no reboot required 
+3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. 
+4. Compliance support via seat assignment.  
+
+## How it works
+
+When a licensed user signs in to a device that meets requirements using the Azure AD credentials associated with a Windows 10 Enterprise E3 or E5 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition, after a grace period of up to 90 days.
+
+Devices currently running Windows 10 Pro, version 1703 can get Windows 10 Enterprise Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel.
+
+### Licenses
+
+The following policies apply to acquisition and renewal of licenses on devices:
+- Devices that have been upgraded will attempt to acquire licenses every 30 days, and must be connected to the Internet to be successful. 
+- Licenses are valid for 90 days. If a device is disconnected from the Internet until its current license expires, the operating system will revert to Windows 10 Pro. As soon as the device is connected to the Internet again, the license will automatically renew assuming the device is still present on list of user devices.
+- Up to five devices can be upgraded for each user license. 
+- The list of devices is chronological and cannot be manually modified. 
+- If a device meets requirements and a licensed user signs in on that device, it will be upgraded. 
+- If five devices are already on the list and a subscribed user signs in on a sixth device, then this new device is added to the end of the list and the first device is removed. 
+- Devices that are removed from the list will cease trying to acquire a license and revert to Windows 10 Pro when the grace period expires.
+
+Licenses can also be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
+
+When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal).
+
+### Existing Enterprise deployments
+
+If you have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you are able to seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
+
+If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
+
+<pre style="overflow-y: visible">
+@echo off
+FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO  ( 
+SET "ProductKey=%%A"
+goto InstallKey
+)
+
+:InstallKey
+IF [%ProductKey%]==[] (
+echo No key present
+) ELSE (
+echo Installing %ProductKey%
+changepk.exe /ProductKey %ProductKey%
+)
+</pre>
+
+### Obtaining an Azure AD licence
+
+Enterprise Agreement/Software Assurance (EA/SA):
+- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment).
+- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
+- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
+
+Microsoft Products & Services Agreements (MPSA):
+- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
+- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.  
+- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
+
+### Deploying licenses
+
+See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
+
+## Virtual Desktop Access (VDA)
+
+Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+
+Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
+
+## Related topics
+
+[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
+<BR>[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+<BR>[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 2ba92a4627..f7f79e2f18 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -6,7 +6,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 keywords: deployment, automate, tools, configure, mdt
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 7cd077d90a..dc842b3f38 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -6,7 +6,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 keywords: deployment, automate, tools, configure, sccm
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 
@@ -205,6 +206,10 @@ Topics and procedures in this guide are summarized in the following table. An es
 
 ## Download MDOP and install DaRT
 
+>[!IMPORTANT]
+>This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
+>If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/).
+
 1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
 
 2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
@@ -234,8 +239,8 @@ This section contains several procedures to support Zero Touch installation with
 1. Type the following commands at a Windows PowerShell prompt on SRV1:
 
     ```
-    New-Item -ItemType Directory -Path "C:Sources\OSD\Boot"
-    New-Item -ItemType Directory -Path "C:Sources\OSD\OS"
+    New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot"
+    New-Item -ItemType Directory -Path "C:\Sources\OSD\OS"
     New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings"
     New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding"
     New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT"
@@ -555,7 +560,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
 1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
 
     ```
-    New-Item -ItemType Directory -Path "C:Sources\OSD\OS\Windows 10 Enterprise x64"
+    New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
     cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
     ```
 
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index ebdbe4e613..5a67eebb9e 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -6,7 +6,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 keywords: deployment, automate, tools, configure, mdt, sccm
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 
@@ -771,6 +772,27 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Add-DnsServerForwarder -IPAddress 192.168.0.2
     </pre>
 
+    **Configure service and user accounts**
+
+    Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
+
+    >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+    On DC1, open an elevated Windows PowerShell prompt and type the following commands:
+
+    <pre style="overflow-y: visible">
+    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
+    Set-ADUser -Identity user1 -PasswordNeverExpires $true
+    Set-ADUser -Identity administrator -PasswordNeverExpires $true
+    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
+    </pre>
+
 12. Minimize the DC1 VM window but **do not stop** the VM.
 
     Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain.
@@ -984,27 +1006,6 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Restart-Computer
     </pre>
 
-### Configure service and user accounts
-
-Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
-
->To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
-<pre style="overflow-y: visible">
-New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
-Set-ADUser -Identity user1 -PasswordNeverExpires $true
-Set-ADUser -Identity administrator -PasswordNeverExpires $true
-Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
-Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
-Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
-</pre>
-
 This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
 
 ## Appendix A: Verify the configuration
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index afc909741a..154981a4b6 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -4,7 +4,7 @@ description: The Windows Assessment and Deployment Kit (Windows ADK) contains to
 ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: greg-lindsay
 ---
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index d1fe29aa6f..8290d3383d 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 author: mtniehaus
 ---
 
-# Windows 10 deployment tools reference
+# Windows 10 deployment scenarios and tools
 
 
 To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.
diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md
index 9305ed157e..0ac76da289 100644
--- a/windows/device-security/TOC.md
+++ b/windows/device-security/TOC.md
@@ -89,11 +89,12 @@
 #### [AppLocker Settings](applocker\applocker-settings.md)
 
 ## [BitLocker](bitlocker\bitlocker-overview.md)
-### [Overview of BitLocker and device encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md)
+### [Overview of BitLocker Device Encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md)
 ### [BitLocker frequently asked questions (FAQ)](bitlocker\bitlocker-frequently-asked-questions.md)
 ### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md)
 ### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md)
 ### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md)
+### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md)
 ### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md)
 ### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
 ### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md)
@@ -650,6 +651,7 @@
 ## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
 ### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
 ### [TPM fundamentals](tpm/tpm-fundamentals.md)
+### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
 ### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
 ### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
 ### [Manage TPM commands](tpm/manage-tpm-commands.md)
diff --git a/windows/device-security/applocker/applocker-overview.md b/windows/device-security/applocker/applocker-overview.md
index 80cbfe0b49..1d4fe3bc2f 100644
--- a/windows/device-security/applocker/applocker-overview.md
+++ b/windows/device-security/applocker/applocker-overview.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/applocker/delete-an-applocker-rule.md b/windows/device-security/applocker/delete-an-applocker-rule.md
index 3d4888fb73..4f50ad433f 100644
--- a/windows/device-security/applocker/delete-an-applocker-rule.md
+++ b/windows/device-security/applocker/delete-an-applocker-rule.md
@@ -32,3 +32,23 @@ AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins
 >**Note:**  When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed.
 
 When this procedure is performed on the local device, the AppLocker policy takes effect immediately.
+
+**To clear AppLocker policies on a single system or remote systems**
+Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML file that contains the following contents:
+
+    <AppLockerPolicy Version="1">
+      <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
+      <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
+      <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
+      <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
+    </AppLockerPolicy>
+
+To use the Set-AppLockerPolicy cmdlet, first import the Applocker modules:
+    
+    PS C:\Users\Administrator> import-module AppLocker
+
+We will create a file (for example, clear.xml), place it in the same directory where we are executing our cmdlet, and add the preceding XML contents. Then run the following command:
+    
+    C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml
+
+This will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access.
diff --git a/windows/device-security/applocker/requirements-to-use-applocker.md b/windows/device-security/applocker/requirements-to-use-applocker.md
index 81fe0f76ba..caa0c16d67 100644
--- a/windows/device-security/applocker/requirements-to-use-applocker.md
+++ b/windows/device-security/applocker/requirements-to-use-applocker.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index f08b02baf6..97e9d04fb9 100644
--- a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -1,6 +1,6 @@
 ---
-title: Overview of BitLocker and device encryption in Windows 10
-description: This topic provides an overview of how BitLocker and device encryption can help protect data on devices running Windows 10.
+title: Overview of BitLocker Device Encryption in Windows 10
+description: This topic provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows 10.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -8,12 +8,14 @@ ms.pagetype: security
 author: Justinha
 ---
 
-# Overview of BitLocker and device encryption in Windows 10
+# Overview of BitLocker Device Encryption in Windows 10
 
 **Applies to**
 -   Windows 10
 
-This topic provides an overview of the ways that BitLocker and device encryption can help protect data on devices running Windows 10. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
+This topic explains how BitLocker Device Encryption  can help protect data on devices running Windows 10. 
+For an architectural overview about how BitLocker Device Encryption  works with Secure Boot, see [Secure boot and BitLocker Device Encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview). 
+For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
 
 When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies.
 
@@ -23,14 +25,14 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi
 
 | Windows 7 | Windows 10 |
 |---|---|
-| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
+| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
 | Users must contact the IT department to change their BitLocker PIN or password. | Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.<br><br>Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN. |
 | When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
 | There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
 | Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
 | Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt drives in seconds. |
 | BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password. |
-| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
+| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
 
 The sections that follow describe these improvements in more detail. Also see:
 
@@ -58,23 +60,23 @@ Microsoft includes instrumentation in Windows 10 that enables the operating sys
 BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker.
 With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 10.
 
-## Device encryption
+## BitLocker Device Encryption 
 
-Beginning in Windows 8.1, Windows automatically enables BitLocker device encryption on devices that support InstantGo. With Windows 10, Microsoft offers device encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes device encryption pervasive across modern Windows devices. Device encryption further protects the system by transparently implementing device-wide data encryption.
+Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support InstantGo. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
 
-Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
+Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
 
-* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state).
+* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state).
 * If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
 * If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
 * Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
 
-Microsoft recommends that device encryption be enabled on any systems that support it, but the automatic device encryption process can be prevented by changing the following registry setting:
+Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
 - **Subkey**: HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\BitLocker
 - **Value**: PreventDeviceEncryption equal to True (1)
 - **Type**: REG\_DWORD
 
-Administrators can manage domain-joined devices that have device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
+Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
 
 ## Used Disk Space Only encryption
 
diff --git a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
index e0f1bc14e9..af3bab22cc 100644
--- a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
@@ -189,6 +189,12 @@ You can use the Manage-bde.exe command-line tool to replace your TPM-only authen
 
 `manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>`
 
+
+### <a href="" id="bkmk-add-auth"></a> When should an additional method of authentication be considered?
+
+New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack. 
+For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers. 
+
 ### <a href="" id="bkmk-recoveryinfo"></a>If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
 
 BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
@@ -395,6 +401,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical
 
 BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
 
+### <a href="" id="bkmk-VM"></a> Can I use BitLocker with virtual machines (VMs)?
+
+Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect to work or school** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.  
+
+
 ## More information
 
 -   [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md
new file mode 100644
index 0000000000..2315455956
--- /dev/null
+++ b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md
@@ -0,0 +1,185 @@
+---
+title: BitLocker Management Recommendations for Enterprises (Windows 10)
+description: This topic explains recommendations for managing BitLocker.
+ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# BitLocker Management Recommendations for Enterprises
+
+This topic explains recommendations for managing BitLocker, both on-premises using older hardware and cloud-based management of modern devices. 
+
+## Forward-looking recommendations for managing BitLocker
+
+The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that it is more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction.
+
+Therefore, we recommend that you upgrade your hardware so that your devices comply with InstantGo or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD). 
+
+Though much  Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for:
+
+   - [Domain-joined computers](#dom_join)
+
+   - [Devices joined to Azure Active Directory (Azure AD)](#azure_ad)
+
+   - [Workplace-joined PCs and Phones](#work_join)
+
+   - [Servers](#servers)
+
+   - [Scripts](#powershell)
+
+   <br />
+
+## BitLocker management at a glance
+
+| | PC – Old Hardware | PC – New* Hardware |[Servers](#servers)/[VMs](#VMs) | Phone 
+|---|---|----|---|---|
+|On-premises Domain-joined |[MBAM](#MBAM25)| [MBAM](#MBAM25) | [Scripts](#powershell) |N/A|
+|Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS|
+
+<br />
+*PC hardware that supports InstantGo or HSTI 
+
+<br />
+<br />
+
+ <a id="dom_join"></a>
+## Recommendations for domain-joined computers
+
+Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support InstantGo beginning with Windows 8.1. For more information, see  [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption).
+
+Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
+
+For older client computers with BitLocker that are domain joined on-premises, Microsoft BitLocker Administration and Management<sup>[1]</sup> (MBAM) remains the best way to manage BitLocker. MBAM continues to be maintained and receives security patches. Using MBAM provides the following functionality:
+
+- Encrypts device with BitLocker using MBAM
+- Stores BitLocker Recovery keys in MBAM Server
+- Provides Recovery key access to end-user, helpdesk and advanced helpdesk
+- Provides Reporting on Compliance and Recovery key access audit
+
+<a id="MBAM25"></a>
+<sup>[1]</sup>The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1).
+
+<br />
+
+<a id="azure_ad"></a>
+## Recommendations for devices joined to Azure Active Directory
+
+<a id="MDM"></a>
+
+Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+
+Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
+
+For hardware that is compliant with InstantGo and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
+
+
+<a id="work_join"></a>
+## Workplace-joined PCs and phones
+
+For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, and similarly for Azure AD domain join. 
+
+<a id="servers"></a>
+
+##  Recommendations for servers
+
+Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. 
+
+The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).  
+
+If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
+
+ Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). 
+
+ For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles).
+ 
+<a id ="powershell"></a>
+
+## PowerShell examples
+
+For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory.  
+
+*Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
+``` 
+PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
+
+PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
+
+PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
+``` 
+For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS). 
+
+*Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
+``` 
+PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
+
+PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
+
+PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
+ ```
+
+Subsequently, you can use PowerShell to enable BitLocker. 
+
+*Example: Use PowerShell to enable BitLocker with a TPM protector*
+ ```
+PS C:\>Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector 
+ ```
+*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
+ ```
+PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
+
+PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
+  ``` 
+
+<a id = "articles"></a>
+
+## Related Articles
+
+[BitLocker: FAQs](bitlocker-frequently-asked-questions.md)
+
+[Microsoft BitLocker Administration and Management (MBAM)](https://technet.microsoft.com/windows/hh826072.aspx)
+
+[Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) 
+
+[System Center 2012 Configuration Manager SP1](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) *(Pre-provision BitLocker task sequence)*
+
+[Enable BitLocker task sequence](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker)
+
+[BitLocker Group Policy Reference](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx) 
+
+[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) 
+*(Overview)*
+
+[Configuration Settings Providers](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
+*(Policy CSP: See [Security-RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-policies))*
+
+[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
+
+<br />
+
+**Windows Server setup tools**
+
+[Windows Server Installation Options](https://technet.microsoft.com/library/hh831786(v=ws.11).aspx)
+
+[How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/)
+
+[How to add or remove optional components on Server Core](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) *(Features on Demand)*
+
+[BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md)  
+
+[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+
+[Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/) 
+
+<br />
+
+<a id="powershell"></a>
+**Powershell**
+
+[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell) 
+
+[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)
\ No newline at end of file
diff --git a/windows/device-security/bitlocker/bitlocker-overview.md b/windows/device-security/bitlocker/bitlocker-overview.md
index d92c5e1cce..6a94dab8c8 100644
--- a/windows/device-security/bitlocker/bitlocker-overview.md
+++ b/windows/device-security/bitlocker/bitlocker-overview.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -67,7 +67,7 @@ When installing the BitLocker optional component on a server you will also need
 
 | Topic | Description |
 | - | - |
-| [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker and device encryption can help protect data on devices running Windows 10.  |
+| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows 10.  |
 | [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| 
 | [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. |
 | [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. |
diff --git a/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md b/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md
index 557719c15c..5ffc817153 100644
--- a/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/device-security/bitlocker/bitlocker-recovery-guide-plan.md
@@ -44,7 +44,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
 
 The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
 
--   On PCs that use either BitLocker or Device Encryption, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
+-   On PCs that use BitLocker, or on devices such as tablets or phones that use Device Encryption only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
 -   On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
 -   Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
 -   Failing to boot from a network drive before booting from the hard drive.
@@ -250,9 +250,9 @@ If you have lost the USB flash drive that contains the startup key, then you mus
 
 This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time.
 
-## Windows RE and BitLocker
+## Windows RE and BitLocker Device Encryption
 
-Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker or by Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
+Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
 
 ## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
 
diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md
index f5c4e6001a..cb46edf710 100644
--- a/windows/device-security/change-history-for-device-security.md
+++ b/windows/device-security/change-history-for-device-security.md
@@ -11,6 +11,19 @@ author: brianlic-msft
 # Change history for device security
 This topic lists new and updated topics in the [Device security](index.md) documentation.
 
+## August 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
+| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description |
+
+
+## July 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
+
+
 ## May 2017
 |New or changed topic |Description |
 |---------------------|------------|
diff --git a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
index 898731c8d2..0e2e0995b9 100644
--- a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
@@ -1,10 +1,10 @@
 ---
 title: Deploy catalog files to support code integrity policies (Windows 10)
-description: This article describes how to deploy catalog files to support code integrity policies, one of the main features that are part of Device Guard in Windows 10. 
+description: This article describes how to deploy catalog files to support code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10. 
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -16,7 +16,7 @@ author: brianlic-msft
 
 Catalog files can be important in your deployment of code integrity polices if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create code integrity policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.
 
-For more description of catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files) in "Requirements and deployment planning guidelines for Device Guard." 
+For more description of catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files) in "Requirements and deployment planning guidelines for Windows Defender Device Guard." 
 
 ## Create catalog files
 
@@ -30,7 +30,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
 
     Package Inspector does not always detect installation files that have been removed from the computer during the installation process. To ensure that these binaries are also trusted, deploy a code integrity policy in audit mode. You can use the code integrity policy that you created and audited in [Create a code integrity policy from a golden computer](deploy-code-integrity-policies-steps.md#create-a-code-integrity-policy-from-a-golden-computer) and [Audit code integrity policies](deploy-code-integrity-policies-steps.md#audit-code-integrity-policies).
 
-    > **Note**&nbsp;&nbsp;This process should **not** be performed on a system with an enforced Device Guard policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.
+    > **Note**&nbsp;&nbsp;This process should **not** be performed on a system with an enforced Windows Defender Device Guard policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.
 
 2.  Start Package Inspector, and then start scanning a local drive, for example, drive C:
 
@@ -150,7 +150,7 @@ To simplify the management of catalog files, you can use Group Policy preference
 
 2.  Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 2.
 
-    > **Note**&nbsp;&nbsp;You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+    > **Note**&nbsp;&nbsp;You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
 
    ![Group Policy Management, create a GPO](images/dg-fig13-createnewgpo.png)
 
@@ -318,9 +318,9 @@ At the time of the next software inventory cycle, when the targeted clients rece
 
 ## Related topics
 
-- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
 
-- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
+- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
 
-- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
 
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
index e1046621fc..71f007b12c 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
@@ -1,10 +1,10 @@
 ---
 title: Deploy code integrity policies - policy rules and file rules (Windows 10)
-description: This article provides information about two elements in code integrity policies, called policy rules and file rules. Code integrity policies are part of Device Guard in Windows 10. 
+description: This article provides information about two elements in code integrity policies, called policy rules and file rules. Code integrity policies are part of Windows Defender Device Guard in Windows 10. 
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -15,8 +15,8 @@ author: brianlic-msft
 -   Windows Server 2016
 
 Code integrity policies provide control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of code integrity, see:
-- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) in "Introduction to Device Guard: virtualization-based security and code integrity policies."
-- [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Device Guard."
+- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats) in "Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies."
+- [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Windows Defender Device Guard."
 
 If you already understand the basics of code integrity policy and want procedures for creating, auditing, and merging code integrity policies, see [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md).
 
@@ -29,7 +29,7 @@ This topic includes the following sections:
 
 ## Overview of the process of creating code integrity policies
 
-A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
 
 > **Note**&nbsp;&nbsp;Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **&lt;EFI System Partition&gt;\\Microsoft\\Boot**. Keep this in mind when you create your code integrity policies.
 
@@ -47,7 +47,7 @@ To modify the policy rule options of an existing code integrity policy, use the
 
     ` Set-RuleOption -FilePath <Path to policy> -Option 0`
 
-    Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option. 
+    Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Windows Defender Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option. 
 
 -   To disable UMCI on an existing code integrity policy, delete rule option 0 by running the following command:
 
@@ -80,7 +80,7 @@ RuleOption -Help** in a Windows PowerShell session. Table 2 describes each rule
 
 File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as fine-tuned as the hash of each binary or as general as a CA certificate. You specify file rule levels both when you create a new code integrity policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, code integrity policies combine their file rules, so that any application that would be allowed by either of the original policies will be allowed by the combined policy. 
 
-Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Device Guard deployment scenario.
+Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Windows Defender Device Guard deployment scenario.
 
 Table 3. Code integrity policy - file rule levels
 
@@ -113,5 +113,5 @@ They could also choose to create a catalog that captures information about the u
 
 ## Related topics
 
-- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats)
+- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats)
 - [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
index 1f4eff567b..9f7bef9162 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@@ -1,10 +1,10 @@
 ---
 title: Deploy code integrity policies - steps (Windows 10)
-description: This article describes how to deploy code integrity policies, one of the main features that are part of Device Guard in Windows 10. 
+description: This article describes how to deploy code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10. 
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -14,7 +14,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-For an overview of the process described in the following procedures, see [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md). To understand how the deployment of code integrity policies fits with other steps in the Device Guard deployment process, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+For an overview of the process described in the following procedures, see [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md). To understand how the deployment of code integrity policies fits with other steps in the Windows Defender Device Guard deployment process, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
 
 ## Create a code integrity policy from a golden computer
 
@@ -26,14 +26,14 @@ The process for creating a golden code integrity policy from a reference system
 ### Scripting and applications
 
 Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts. 
-You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). 
+You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Windows Defender Device Guard in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). 
 
-Members of the security community<sup>\*</sup> continuously collaborate with Microsoft® to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Device Guard code integrity policies. 
+Members of the security community<sup>\*</sup> continuously collaborate with Microsoft® to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Device Guard code integrity policies. 
 
-Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Device Guard:
+Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Windows Defender Device Guard:
 
 - bash.exe
-- bginfo.exe 
+- bginfo.exe<sup>[1]</sup> 
 - cdb.exe
 - csi.exe
 - dnx.exe
@@ -42,14 +42,16 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 - kd.exe
 - ntkd.exe
 - lxssmanager.dll
-- msbuild.exe<sup>[1]</sup>
+- msbuild.exe<sup>[2]</sup>
 - mshta.exe
 - ntsd.exe
 - rcsi.exe
 - system.management.automation.dll
 - windbg.exe
 
-<sup>[1]</sup>If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
+<sup>[1]</sup>A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
+
+<sup>[2]</sup>If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
 
 <sup>*</sup>Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
 
@@ -68,9 +70,9 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 >[!Note]
 >This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. 
 
-Certain software applications may allow additional code to run by design. These types of applications should be blocked by your Device Guard policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions. 
+Certain software applications may allow additional code to run by design. These types of applications should be blocked by your Windows Defender Device Guard policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions. 
 
-Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. 
+Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Windows Defender Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. 
 
 Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
 
@@ -246,7 +248,7 @@ To create a code integrity policy, copy each of the following commands into an e
 
     > [!Notes] 
     
-    > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. 
+    > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. 
     
     > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
 
@@ -258,7 +260,7 @@ To create a code integrity policy, copy each of the following commands into an e
 
     ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
 
-After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
+After you complete these steps, the Windows Defender Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
 
 > [!Note] 
 > We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies).
@@ -284,7 +286,7 @@ When code integrity policies are run in audit mode, it allows administrators to
     
     > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.
     
-3.  Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
+3.  Navigate to **Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
 
     > [!Note]
     
@@ -337,7 +339,7 @@ Use the following procedure after you have been running a computer with a code i
   > [!Note] 
   > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
 
-4.  Find and review the Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
+4.  Find and review the Windows Defender Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
 
     - Any applications that were caught as exceptions, but should be allowed to run in your environment. These are applications that should be in the .xml file. Leave these as-is in the file.
     
@@ -582,7 +584,7 @@ There may be a time when signed code integrity policies cause a boot failure. Be
 
 ## Deploy and manage code integrity policies with Group Policy
 
-Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
+Code integrity policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
 
 > [!Note] 
 > This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic.
@@ -596,7 +598,7 @@ To deploy and manage a code integrity policy with Group Policy:
 
 2.  Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 3.
 
-    > **Note**&nbsp;&nbsp;You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+    > **Note**&nbsp;&nbsp;You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
 
    ![Group Policy Management, create a GPO](images/dg-fig24-creategpo.png)
 
@@ -606,7 +608,7 @@ To deploy and manage a code integrity policy with Group Policy:
 
 4.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
 
-5.  In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Code Integrity Policy** and then click **Edit**.
+5.  In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard. Right-click **Deploy Code Integrity Policy** and then click **Edit**.
 
     ![Edit the group policy for code integrity](images/dg-fig25-editcode.png)
 
@@ -630,7 +632,7 @@ To deploy and manage a code integrity policy with Group Policy:
 
 ## Related topics
 
-[Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+[Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
 
-[Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
+[Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
 
diff --git a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
index baad65e7bb..886d093664 100644
--- a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
+++ b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
@@ -1,14 +1,14 @@
 ---
-title: Deploy Device Guard - deploy code integrity policies (Windows 10)
-description: This article, and the articles it links to, describe how to create code integrity policies, one of the main features that are part of Device Guard in Windows 10. 
+title: Deploy Windows Defender Device Guard - deploy code integrity policies (Windows 10)
+description: This article, and the articles it links to, describe how to create code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10. 
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Deploy Device Guard: deploy code integrity policies
+# Deploy Windows Defender Device Guard: deploy code integrity policies
 
 **Applies to**
 -   Windows 10
@@ -20,13 +20,13 @@ This section includes the following topics:
 - [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
 - [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
 - [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
-- [Deploy Managed Installer for Device Guard](deploy-managed-installer-for-device-guard.md)
+- [Deploy Managed Installer for Windows Defender Device Guard](deploy-managed-installer-for-device-guard.md)
 
 To increase the protection for devices that meet certain hardware requirements, you can use virtualization-based security (VBS) with your code integrity policies.
-- For requirements, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard) in "Requirements and deployment planning guidelines for Device Guard."
-- For steps, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
+- For requirements, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard) in "Requirements and deployment planning guidelines for Windows Defender Device Guard."
+- For steps, see [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
 
 ## Related topics
 
-[Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+[Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
 
diff --git a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
index 773414f009..7f3deced86 100644
--- a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
@@ -1,34 +1,34 @@
 ---
-title: Deploy Device Guard - enable virtualization-based security (Windows 10)
-description: This article describes how to enable virtualization-based security, one of the main features that are part of Device Guard in Windows 10. 
+title: Deploy Windows Defender Device Guard - enable virtualization-based security (Windows 10)
+description: This article describes how to enable virtualization-based security, one of the main features that are part of Windows Defender Device Guard in Windows 10. 
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Deploy Device Guard: enable virtualization-based security
+# Deploy Windows Defender Device Guard: enable virtualization-based security
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-Hardware-based security features, also called virtualization-based security or VBS, make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are a few steps to configure hardware-based security features in Device Guard:
+Hardware-based security features, also called virtualization-based security or VBS, make up a large part of Windows Defender Device Guard security offerings. VBS reinforces the most important feature of Windows Defender Device Guard: configurable code integrity. There are a few steps to configure hardware-based security features in Windows Defender Device Guard:
 
-1.  **Decide whether to use the procedures in this topic, or to use the Device Guard readiness tool**. To enable VBS, you can download and use [the hardware readiness tool on the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or follow the procedures in this topic.
+1.  **Decide whether to use the procedures in this topic, or to use the Windows Defender Device Guard readiness tool**. To enable VBS, you can download and use [the hardware readiness tool on the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or follow the procedures in this topic.
 
-2.  **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
+2.  **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard).
 
-3.  **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
+3.  **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
 
-4.  **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic. 
+4.  **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic. 
 
-For information about enabling Credential Guard, see [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard).
+For information about enabling Windows Defender Credential Guard, see [Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard).
 
-## Windows feature requirements for virtualization-based security and Device Guard
+## Windows feature requirements for virtualization-based security and Windows Defender Device Guard
 
-In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS:
+In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS:
 
 - Beginning with Windows 10, version 1607 or Windows Server 2016:<br> 
 Hyper-V Hypervisor, which is enabled automatically. No further action is needed.
@@ -42,17 +42,17 @@ Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).
 
 **Figure 1. Enable operating system features for VBS, Windows 10, version 1511**
 
-## Enable Virtualization Based Security (VBS) and Device Guard
+## Enable Virtualization Based Security (VBS) and Windows Defender Device Guard
 
-There are multiple ways to configure VBS features for Device Guard: 
+There are multiple ways to configure VBS features for Windows Defender Device Guard: 
 
 - You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic.
 - You can use Group Policy, as described in the procedure that follows.
-- You can configure VBS manually, as described in [Use registry keys to enable VBS and Device Guard](#use-registry-keys-to-enable-vbs-and-device-guard), later in this topic.
+- You can configure VBS manually, as described in [Use registry keys to enable VBS and Windows Defender Device Guard](#use-registry-keys-to-enable-vbs-and-device-guard), later in this topic.
 
 > **Note**&nbsp;&nbsp;We recommend that you test-enable these features on a group of test computers before you enable them on users' computers. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.
 
-### Use Group Policy to enable VBS and Device Guard
+### Use Group Policy to enable VBS and Windows Defender Device Guard
 
 1.  To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
 
@@ -64,7 +64,7 @@ There are multiple ways to configure VBS features for Device Guard:
 
 3.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
 
-4.  Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
+4.  Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Defender Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
 
     ![Edit the group policy for Virtualization Based Security](images/dg-fig3-enablevbs.png)
 
@@ -76,7 +76,7 @@ There are multiple ways to configure VBS features for Device Guard:
 
     Figure 4. Configure VBS, Secure Boot setting (in Windows 10, version 1607)
 
-    > **Important**&nbsp;&nbsp;These settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.<br>For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+    > **Important**&nbsp;&nbsp;These settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.<br>For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
 
 6. For **Virtualization Based Protection of Code Integrity**, select the appropriate option.
 
@@ -95,15 +95,15 @@ There are multiple ways to configure VBS features for Device Guard:
 
 7.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. The settings will take effect upon restart.
 
-8.  Check the test computer’s event log for Device Guard GPOs.
+8.  Check the test computer’s event log for Windows Defender Device Guard GPOs.
 
-    Processed Device Guard policies are logged in event viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
+    Processed Windows Defender Device Guard policies are logged in event viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
 
->**Note**&nbsp;&nbsp;Events will be logged in this event channel only when Group Policy is used to enable Device Guard features, not through other methods. If other methods such as registry keys are used, Device Guard features will be enabled but the events won’t be logged in this event channel.
+>**Note**&nbsp;&nbsp;Events will be logged in this event channel only when Group Policy is used to enable Windows Defender Device Guard features, not through other methods. If other methods such as registry keys are used, Windows Defender Device Guard features will be enabled but the events won’t be logged in this event channel.
 
-### Use registry keys to enable VBS and Device Guard
+### Use registry keys to enable VBS and Windows Defender Device Guard
 
-Set the following registry keys to enable VBS and Device Guard. This provides exactly the same set of configuration options provided by Group Policy.
+Set the following registry keys to enable VBS and Windows Defender Device Guard. This provides exactly the same set of configuration options provided by Group Policy.
 
 > [!WARNING]
 >  Virtualization-based protection of code integrity (controlled through the registry key **HypervisorEnforcedCodeIntegrity**) may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
@@ -111,7 +111,7 @@ Set the following registry keys to enable VBS and Device Guard. This provides ex
 <!--This comment ensures that the Important above and the Warning below don't merge together. -->
 
 > **Important**&nbsp;&nbsp;
-> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled.<br>For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).<br>
+> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled.<br>For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).<br>
 > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
 
 #### For Windows 1607 and above
@@ -210,9 +210,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforc
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
 ```
 
-### Validate enabled Device Guard hardware-based security features
+### Validate enabled Windows Defender Device Guard hardware-based security features
 
-Windows 10 and Windows Server 2016 and later have a WMI class for Device Guard–related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
+Windows 10 and Windows Server 2016 and later have a WMI class for Windows Defender Device Guard–related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
 
 ` Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard`
 
@@ -238,7 +238,7 @@ Table 1. Win32\_DeviceGuard properties
 <tbody>
 <tr class="odd">
 <td align="left"><strong>AvailableSecurityProperties</strong></td>
-<td align="left">This field helps to enumerate and report state on the relevant security properties for Device Guard.</td>
+<td align="left">This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.</td>
 <td align="left"><ul>
 <li><p><strong>0.</strong> If present, no relevant properties exist on the device.</p></li>
 <li><p><strong>1.</strong> If present, hypervisor support is available.</p></li>
@@ -273,19 +273,19 @@ Table 1. Win32\_DeviceGuard properties
 </tr>
 <tr class="even">
 <td align="left"><strong>SecurityServicesConfigured</strong></td>
-<td align="left">This field indicates whether the Credential Guard or HVCI service has been configured.</td>
+<td align="left">This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.</td>
 <td align="left"><ul>
 <li><p><strong>0.</strong> No services configured.</p></li>
-<li><p><strong>1.</strong> If present, Credential Guard is configured.</p></li>
+<li><p><strong>1.</strong> If present, Windows Defender Credential Guard is configured.</p></li>
 <li><p><strong>2.</strong> If present, HVCI is configured.</p></li>
 </ul></td>
 </tr>
 <tr class="odd">
 <td align="left"><strong>SecurityServicesRunning</strong></td>
-<td align="left">This field indicates whether the Credential Guard or HVCI service is running.</td>
+<td align="left">This field indicates whether the Windows Defender Credential Guard or HVCI service is running.</td>
 <td align="left"><ul>
 <li><p><strong>0.</strong> No services running.</p></li>
-<li><p><strong>1.</strong> If present, Credential Guard is running.</p></li>
+<li><p><strong>1.</strong> If present, Windows Defender Credential Guard is running.</p></li>
 <li><p><strong>2.</strong> If present, HVCI is running.</p></li>
 </ul></td>
 </tr>
@@ -311,14 +311,14 @@ Table 1. Win32\_DeviceGuard properties
 </tbody>
 </table>
 
-Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 6.
+Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 6.
 
-![Device Guard properties in the System Summary](images/dg-fig11-dgproperties.png)
+![Windows Defender Device Guard properties in the System Summary](images/dg-fig11-dgproperties.png)
 
-Figure 6. Device Guard properties in the System Summary
+Figure 6. Windows Defender Device Guard properties in the System Summary
 
 ## Related topics
 
-- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
 
-- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
diff --git a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
index cf53463610..53d92d3c77 100644
--- a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
+++ b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
@@ -1,16 +1,16 @@
 ---
-title: Deploy Managed Installer for Device Guard (Windows 10)
+title: Deploy Managed Installer for Windows Defender Device Guard (Windows 10)
 description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. 
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: mdsakibMSFT
 ---
 
-# Deploy Managed Installer for Device Guard
+# Deploy Managed Installer for Windows Defender Device Guard
 
-Creating and maintaining application execution control policies has always been challenging and options for addressing this has been a frequently cited request for customers of AppLocker and Device Guard’s [configurable code integrity (CI)](device-guard-deployment-guide.md). 
+Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Device Guard [configurable code integrity (CI)](device-guard-deployment-guide.md). 
 This is especially true for enterprises with large, ever changing software catalogs. 
 
 Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. 
@@ -21,14 +21,14 @@ A managed installer helps an IT admin balance security and manageability require
 A managed installer uses a new rule collection in AppLocker to specify one or more executables that are trusted by the organization as an authorized source for application deployment. 
 Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable’s process (or processes it launches) as having originated from a trusted installation authority.  
 
-Once the IT administrator adds the Allow: Managed Installer option to a configurable CI policy for Device Guard, the configurable CI component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy. 
+Once the IT administrator adds the Allow: Managed Installer option to a configurable CI policy for Windows Defender Device Guard, the configurable CI component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy. 
 If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.
 
 > [!NOTE] 
 > Admins needs to ensure that there is a CI policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer. 
 >
 > Examples of CI policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps. 
-> Admins can reference and customize them as needed for their Device Guard deployment.
+> Admins can reference and customize them as needed for their Windows Defender Device Guard deployment.
 
 ## Configuring a managed installer with AppLocker and configurable code integrity policy
 
@@ -151,8 +151,8 @@ An example of the managed installer option being set in policy is shown below.
 Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. 
 It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager. 
 
-Users with administrator privileges on the system may be able to circumvent the intent of Device Guard configurable CI when the managed installer option is allowed. 
-If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users may be able to circumvent the intent of Device Guard configurable CI policy. 
+Users with administrator privileges on the system may be able to circumvent the intent of Windows Defender Device Guard configurable CI when the managed installer option is allowed. 
+If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users may be able to circumvent the intent of Windows Defender Device Guard configurable CI policy. 
 In some cases, the heuristic tracking and authorizing applications may be active on the first execution of an application that is laid down from a designated managed installer. 
 Typically, this would occur if the managed installer executes the application directly as part of the installation process. 
 To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation.   
diff --git a/windows/device-security/device-guard/device-guard-deployment-guide.md b/windows/device-security/device-guard/device-guard-deployment-guide.md
index d50a13cc43..2b460c583b 100644
--- a/windows/device-security/device-guard/device-guard-deployment-guide.md
+++ b/windows/device-security/device-guard/device-guard-deployment-guide.md
@@ -1,31 +1,31 @@
 ---
-title: Device Guard deployment guide (Windows 10)
-description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
+title: Windows Defender Device Guard deployment guide (Windows 10)
+description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
 ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Device Guard deployment guide
+# Windows Defender Device Guard deployment guide
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Windows Defender Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
 
-This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them. It includes:
+This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes:
 
-- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
 
-- [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
+- [Requirements and deployment planning guidelines for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
 
-- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
+- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
 
-- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
 
     - [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
 
@@ -35,7 +35,7 @@ This guide explores the individual features in Device Guard as well as how to pl
 
     - [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
 
-- [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
+- [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
 
 ## Related topics
 
@@ -45,10 +45,10 @@ This guide explores the individual features in Device Guard as well as how to pl
 
 [Code integrity](https://technet.microsoft.com/library/dd348642.aspx)
 
-[Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
+[Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard)
 
-[Driver compatibility with Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
+[Driver compatibility with Windows Defender Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
 
-[Dropping the Hammer Down on Malware Threats with Windows 10’s Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
+[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
 
 
diff --git a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
index 66956fbb5c..e5593fe7b8 100644
--- a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
+++ b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
@@ -1,54 +1,54 @@
 ---
-title: Introduction to Device Guard - virtualization-based security and code integrity policies (Windows 10)
-description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
+title: Introduction to Windows Defender Device Guard - virtualization-based security and code integrity policies (Windows 10)
+description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Introduction to Device Guard: virtualization-based security and code integrity policies
+# Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *code integrity policies*.
+With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *code integrity policies*.
 
 Like the operating system, code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been available in previous versions of the Windows operating system, and protects the kernel mode from running unsigned drivers. In Windows 10 and Windows Server 2016, UMCI is also available, to help protect against viruses and malware.
 
-To increase the security level offered by code integrity policies, Device Guard can leverage advanced hardware features on hardware that supports them. These features include CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT). In addition, hardware that includes input/output memory management units (IOMMUs) provides even stronger protections. When you enable the features associated with CPU virtualization extensions and SLAT, the Code Integrity service can run alongside the kernel in a Windows hypervisor-protected container. The following table provides more information about how Device Guard and these hardware features can help protect against various threats.
+To increase the security level offered by code integrity policies, Windows Defender Device Guard can leverage advanced hardware features on hardware that supports them. These features include CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT). In addition, hardware that includes input/output memory management units (IOMMUs) provides even stronger protections. When you enable the features associated with CPU virtualization extensions and SLAT, the Code Integrity service can run alongside the kernel in a Windows hypervisor-protected container. The following table provides more information about how Windows Defender Device Guard and these hardware features can help protect against various threats.
 
-For an overview of the process of deploying Device Guard features, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+For an overview of the process of deploying Windows Defender Device Guard features, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
 
-## How Device Guard features help protect against threats
+## How Windows Defender Device Guard features help protect against threats
 
-The following table lists security threats and describes the corresponding Device Guard features:
+The following table lists security threats and describes the corresponding Windows Defender Device Guard features:
 
-| Security threat in the enterprise | How a Device Guard feature helps protect against the threat |
+| Security threat in the enterprise | How a Windows Defender Device Guard feature helps protect against the threat |
 | --------------------------------- | ----------------------------------------------------------- |
 | **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**:&nbsp;&nbsp;You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.<br>Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.<br><br>**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. |
 | **Exposure to unsigned code** (most malware is unsigned) | **Code integrity policies, plus catalog files as needed**:&nbsp;&nbsp;Because most malware is unsigned, using a code integrity policy (which in most cases requires signed code) can immediately help protect against a large number of threats. However, many organizations use unsigned line-of-business (LOB) applications, for which the process of signing might be difficult. This has changed in Windows 10, because you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.<br><br>**Specialized hardware required?** No security-related hardware features are required for creating and using code integrity policies and catalogs. However, code integrity policies and catalogs are strengthened by the hardware features, as described in later rows of this table. |
-| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:&nbsp;&nbsp;This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.<br>With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory.  Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.<br><br>**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
+| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:&nbsp;&nbsp;This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.<br>With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory.  Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.<br><br>**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). |
 | **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**:&nbsp;&nbsp;With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.<br><br>**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. |
-| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:&nbsp;&nbsp; Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Device Guard security.<br><br>**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).  | 
+| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:&nbsp;&nbsp; Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Windows Defender Device Guard security.<br><br>**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard).  | 
 
-In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview).
+In this guide, you learn about the individual features found within Windows Defender Device Guard as well as how to plan for, configure, and deploy them. Windows Defender Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview).
 
 ## New and changed functionality
 
 As of Windows 10, version 1703, you can use code integrity policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a code integrity policy to control specific plug-ins, add-ins, and modules](deploy-code-integrity-policies-steps.md#plug-ins).
 
-## Tools for managing Device Guard features
+## Tools for managing Windows Defender Device Guard features
 
-You can easily manage Device Guard features by using familiar enterprise and client-management tools that IT pros use every day:
+You can easily manage Windows Defender Device Guard features by using familiar enterprise and client-management tools that IT pros use every day:
 
 <!-- The item about "Intune" below could be updated at some point, when more information and a link are available. -->
 
--   **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files.
+-   **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Windows Defender Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files.
 
-    - For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Device Guard features help protect against threats](#how-device-guard-features-help-protect-against-threats), earlier in this topic.
+    - For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Windows Defender Device Guard features help protect against threats](#how-windows-defender-device-guard-features-help-protect-against-threats), earlier in this topic.
     - For information about using Group Policy as a deployment tool, see:<br>[Deploy catalog files with Group Policy](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-group-policy)<br>[Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)
 
 -   **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features, as well as provide version control. For more information, see [Deploy catalog files with System Center Configuration Manager](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-system-center-configuration-manager).
@@ -59,25 +59,25 @@ You can easily manage Device Guard features by using familiar enterprise and cli
 
 These options provide the same experience you're used to in order to manage your existing enterprise management solutions. 
 
-For more information about the deployment of Device Guard features, see:
-- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
-- [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
+For more information about the deployment of Windows Defender Device Guard features, see:
+- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
 
-## Other features that relate to Device Guard
+## Other features that relate to Windows Defender Device Guard
 
-### Device Guard with AppLocker
+### Windows Defender Device Guard with AppLocker
 
-Although [AppLocker](/windows/device-security/applocker/applocker-overview) is not considered a new Device Guard feature, it complements Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
+Although [AppLocker](/windows/device-security/applocker/applocker-overview) is not considered a new Windows Defender Device Guard feature, it complements Windows Defender Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
 
-> **Note**&nbsp;&nbsp;One example of how Device Guard functionality can be enhanced by AppLocker is when you want to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule.
+> **Note**&nbsp;&nbsp;One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule.
 
-AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
+AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
 
-### Device Guard with Credential Guard
+### Windows Defender Device Guard with Windows Defender Credential Guard
 
-Another Windows 10 feature that employs VBS is [Credential Guard](/windows/access-protection/credential-guard/credential-guard). Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Credential Guard (which is not a feature within Device Guard), see [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard).
+Another Windows 10 feature that employs VBS is [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard). Windows Defender Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Windows Defender Credential Guard (which is not a feature within Windows Defender Device Guard), see [Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard).
 
-Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. 
+Windows Defender Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Windows Defender Credential Guard, organizations can gain additional protection against such threats. 
 
 
 
diff --git a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
index 89b5072658..dbd9304e45 100644
--- a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
+++ b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
@@ -1,10 +1,10 @@
 ---
 title: Optional - Create a code signing certificate for code integrity policies (Windows 10)
-description: This article describes how to create a code signing certificate for code integrity policies, one of the main features that are part of Device Guard in Windows 10. 
+description: This article describes how to create a code signing certificate for code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10. 
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -14,7 +14,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-As you deploy code integrity policies (part of Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). 
+As you deploy code integrity policies (part of Windows Defender Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). 
 
 If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate:
 
@@ -96,7 +96,7 @@ When the certificate has been exported, import it into the personal store for th
 
 ## Related topics
 
-- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
 
-- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
 
diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
index d3919505b8..3cff963c28 100644
--- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
+++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
@@ -1,26 +1,27 @@
 ---
-title: Planning and getting started on the Device Guard deployment process (Windows 10)
-description: To help you plan and begin the initial test stages of a deployment of Microsoft Device Guard, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. 
+title: Planning and getting started on the Windows Defender Device Guard deployment process (Windows 10)
+description: To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Device Guard, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. 
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Planning and getting started on the Device Guard deployment process
+# Planning and getting started on the Windows Defender Device Guard deployment process
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-This topic provides a roadmap for planning and getting started on the Device Guard deployment process, with links to topics that provide additional detail. Planning for Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you.
+This topic provides a roadmap for planning and getting started on the Windows Defender Device Guard deployment process, with links to topics that provide additional detail. Planning for Windows Defender Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you.
 
 ## Planning
 
-1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). 
+1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard(requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-hardware-firmware-and-software-requirements-for-
+windows-defender-device-guard). 
 
-2. **Group devices by degree of control needed**. Group devices according to the table in [Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?<br>Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
+2. **Group devices by degree of control needed**. Group devices according to the table in [Windows Defender Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?<br>Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
 
 3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create:
     - How standardized is the hardware?<br>This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
@@ -32,20 +33,20 @@ This topic provides a roadmap for planning and getting started on the Device Gua
     - Is there already a list of accepted applications?<br>A list of accepted applications can be used to help create a baseline code integrity policy.<br>As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
 
     - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? 
-    In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Device Guard code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). 
+    In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Device Guard code integrity policies. You can also fine-tune your control by using Windows Defender Device Guard in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). 
 
     Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies.
 
     For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your code integrity policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
 
-    Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps).
+    Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Device Guard code integrity policies. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps).
 
 
 
 
 
 
-4.  **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
+4.  **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
 
 ## Getting started on the deployment process
 
@@ -67,11 +68,11 @@ This topic provides a roadmap for planning and getting started on the Device Gua
     - [Enforce code integrity policies](deploy-code-integrity-policies-steps.md#enforce-code-integrity-policies)
     - [Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)<br>
 
-8.  **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). 
+8.  **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). 
 
     > [!WARNING]
     >  Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
 
-    For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
+    For information about enabling VBS features, see [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
 
 <br />
\ No newline at end of file
diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 3a9804aa1c..ec2f600b51 100644
--- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -1,124 +1,111 @@
 ---
-title: Requirements and deployment planning guidelines for Device Guard (Windows 10)
-description: To help you plan a deployment of Microsoft Device Guard, this article describes hardware requirements for Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies. 
+title: Requirements and deployment planning guidelines for Windows Defender Device Guard (Windows 10)
+description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies. 
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
-# Requirements and deployment planning guidelines for Device Guard
+# Requirements and deployment planning guidelines for Windows Defender Device Guard
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-This article describes the following:
+The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
 
-- [Hardware, firmware, and software requirements for Device Guard](#hardware-firmware-and-software-requirements-for-device-guard)
-    - [Device Guard requirements for baseline protections](#device-guard-requirements-for-baseline-protections)
-    - [Device Guard requirements for improved security](#device-guard-requirements-for-improved-security)
-- [Device Guard deployment in different scenarios: types of devices](#device-guard-deployment-in-different-scenarios-types-of-devices)	
-- [Device Guard deployment in virtual machines](#device-guard-deployment-in-virtual-machines)
-- [Reviewing your applications: application signing and catalog files](#reviewing-your-applications-application-signing-and-catalog-files)
-- [Code integrity policy formats and signing](#code-integrity-policy-formats-and-signing)
+>**Note**&nbsp;&nbsp;If you are an OEM, see the requirements information at [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
 
-The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+## Hardware, firmware, and software requirements for Windows Defender Device Guard
 
->**Note**&nbsp;&nbsp;If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
+To deploy Windows Defender Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy code integrity policies—the difference is that those computers will not be as hardened against certain threats. 
 
-## Hardware, firmware, and software requirements for Device Guard
+For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Windows Defender Device Guard, see [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md).
 
-To deploy Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy code integrity policies—the difference is that those computers will not be as hardened against certain threats. 
-
-For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Device Guard, see [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md).
-
-You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
+You can deploy Windows Defender Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
 
 > [!WARNING]
 >  Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
 
-The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
+The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
 
 > **Notes**<br>
-> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).<br>
+> • To understand the requirements in the following tables, you will need to be familiar with the main features in Windows Defender Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).<br>
 > • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. 
 
-## Device Guard requirements for baseline protections
+## Baseline protections
 
-|Baseline Protections - requirement           | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Hardware: **64-bit CPU**              | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
-| Firmware: **Secure firmware update process**      | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: **HVCI compatible drivers**       | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).<br><br>**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
-| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
+|Baseline Protections            | Description                                        | Security benefits |
+|--------------------------------|----------------------------------------------------|-------------------|
+| Hardware: **64-bit CPU**       | A 64-bit computer is required for the Windows hypervisor to provide VBS. |  | 
+| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
+| Firmware: **Secure firmware update process**      | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: **HVCI compatible drivers**       | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode.  |
+| Software: Qualified **Windows operating system**  | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only Windows Defender Device Guard is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
 
-> **Important**&nbsp;&nbsp;The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
+> **Important**&nbsp;&nbsp;The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
 
-## Device Guard requirements for improved security
+## Additional qualifications for improved security
 
-The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
+The following tables describe additional hardware and firmware qualifications, and the improved security that is available when these qualifications are met.
 
 
 ### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
 
-
-| Protections for Improved Security - requirement         | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Protections for Improved Security       | Description                                        | Security benefits |
+|---------------------------------------------|----------------------------------------------------|------|
+| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
 
 <br>
 
-### Additional Qualification Requirements starting with Windows 10, version 1607, and Windows Server 2016
+### Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
 
-> **Important**&nbsp;&nbsp;The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
 
-| Protections for Improved Security - requirement         | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx). <br><br>**Security benefits**:<br>• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
-| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>• Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+| Protections for Improved Security        | Description                                        | Security benefits |
+|---------------------------------------------|----------------------------------------------------|-----|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
 
 <br>
 
-### Additional Qualification Requirements starting with Windows 10, version 1703 
+### Additional security qualifications starting with Windows 10, version 1703 
 
-The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. 
 
-| Protection for Improved Security          | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code<br><br>**Security benefits**:<br>• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.     |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
+| Protections for Improved Security          | Description                                        | Security benefits |
+|---------------------------------------------|----------------------------------------------------|------|
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code  | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.   |
+| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM.  |
 
-## Device Guard deployment in different scenarios: types of devices
+## Windows Defender Device Guard deployment in different scenarios: types of devices
 
-Typically, deployment of Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Device Guard in your organization.
+Typically, deployment of Windows Defender Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Windows Defender Device Guard in your organization.
 
-| **Type of device**                 | **How Device Guard relates to this type of device**  | **Device Guard components that you can use to protect this kind of device**    |
+| **Type of device**                 | **How Windows Defender Device Guard relates to this type of device**  | **Windows Defender Device Guard components that you can use to protect this kind of device**    |
 |------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------|
-| **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.<br><br>• Code integrity policies in enforced mode, with UMCI enabled. |
+| **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After Windows Defender Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.<br><br>• Code integrity policies in enforced mode, with UMCI enabled. |
 | **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.<br>Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.<br><br>• Code integrity policies in enforced mode, with UMCI enabled. |
-| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.<br><br>• Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started.  |
-| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | 
+| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.<br><br>• Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started.  |
+| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Windows Defender Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | 
 
-## Device Guard deployment in virtual machines
+## Windows Defender Device Guard deployment in virtual machines
 
-Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Device Guard are the same from within the virtual machine.
+Windows Defender Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Windows Defender Device Guard are the same from within the virtual machine.
 
-Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Device Guard for a virtual machine:
+Windows Defender Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Windows Defender Device Guard for a virtual machine:
 
 ` Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true`
 
 
-### Requirements for running Device Guard in Hyper-V virtual machines 
+### Requirements for running Windows Defender Device Guard in Hyper-V virtual machines 
  -   The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
  -   The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. 
- -   Device Guard and [nested virtualization](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. 
- -   Virtual Fibre Channel adapters are not compatible with Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity.
- -   The AllowFullSCSICommandSet option for pass-through disks is not compatible with Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity.
+ -   Windows Defender Device Guard and [nested virtualization](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. 
+ -   Virtual Fibre Channel adapters are not compatible with Windows Defender Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity.
+ -   The AllowFullSCSICommandSet option for pass-through disks is not compatible with Windows Defender Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity.
 
 
 ## Reviewing your applications: application signing and catalog files 
@@ -137,9 +124,9 @@ To obtain signed applications or embed signatures in your in-house applications,
 
 To use catalog signing, you can choose from the following options:
 
-- Use the Device Guard signing portal available in the Windows Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
+- Use the Windows Defender Device Guard signing portal available in the Windows Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Windows Defender Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
 
-- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Device Guard deployment, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
 
 ### Catalog files
 
@@ -149,9 +136,9 @@ Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered
 
 After you have created and signed your catalog files, you can configure your code integrity policies to trust the signer or signing certificate of those files.
 
-> **Note**&nbsp;&nbsp;Package Inspector only works on operating systems that support Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
+> **Note**&nbsp;&nbsp;Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
 
-For information about how creating catalog files fits into Device Guard deployment, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md).
+For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md).
 
 ## Code integrity policy formats and signing
 
@@ -163,7 +150,7 @@ When the code integrity policy is deployed, it restricts the software that can r
 
 ## Related topics
 
-- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
+- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
 
 
diff --git a/windows/device-security/security-policy-settings/accounts-administrator-account-status.md b/windows/device-security/security-policy-settings/accounts-administrator-account-status.md
index 5a3cde966e..aa07230763 100644
--- a/windows/device-security/security-policy-settings/accounts-administrator-account-status.md
+++ b/windows/device-security/security-policy-settings/accounts-administrator-account-status.md
@@ -18,18 +18,17 @@ Describes the best practices, location, values, and security considerations for
 
 ## Reference
 
-This security setting determines whether the local administrator account is enabled or disabled.
+This security setting determines whether the local Administrator account is enabled or disabled.
 
-If you try to enable the administrator account after it has been disabled, and if the current administrator password does not meet the password requirements, you cannot enable the account. In this case, an alternative member of the Administrators group must reset the password on the administrator account.
+The following conditions prevent disabling the Administrator account, even if this security setting is disabled.
 
-If you disable this policy setting, and one of the following conditions exists on the computer, the administrator account is not disabled.
-1.  No other local administrator account exists
-2.  The administrator account is currently in use
-3.  All other local administrator accounts are:
+1.  The Administrator account is currently in use
+2.  The Administrators group has no other members
+3.  All other members of the Administrators group are:
     1.  Disabled
     2.  Listed in the [Deny log on locally](deny-log-on-locally.md) User Rights Assignment
 
-If the current administrator password does not meet the password requirements, you will not be able to enable the administrator account again after it has been disabled. In this case, another member of the Administrators group must set the password on the administrator account.
+If the Administrator account is disabled, you cannot enable it if the password does not meet requirements. In this case, another member of the Administrators group must reset the password.
 
 ### Possible values
 -   Enabled
@@ -51,12 +50,14 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
 
 | Server type or GPO | Default value |
+| - | - |
 | Default Domain Policy | Not defined |
 | Default Domain Controller Policy |Not defined |
 | Stand-Alone Server Default Settings | Enabled |
 | DC Effective Default Settings | Enabled |
 | Member Server Effective Default Settings | Enabled |
 | Client Computer Effective Default Settings | Disabled |
+
  
 ## Policy management
 
diff --git a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md
index cc479c5bc2..b2a0c2025c 100644
--- a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -18,11 +18,13 @@ Describes the best practices, location, values, management, and security conside
 
 ## Reference
 
-This policy setting prevents users from adding new Microsoft accounts on a device.
+This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. 
 
-If you click the **Users can’t add Microsoft accounts** setting option, users will not be able to switch a local account to a Microsoft account, or connect a domain account to a Microsoft account to drive sync, roaming, or other background services. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. Users will still be able to add app-specific Microsoft accounts for use with consumer apps. To block this use, turn off the ability to install consumer apps or the Store.
+There are two options if this setting is enabled:
 
-If you click the **Users can’t add or log on with Microsoft accounts** setting option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator to log on to a computer and manage the system.
+- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
+
+- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
 
 If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
 
@@ -36,7 +38,7 @@ By default, this setting is not defined on domain controllers and disabled on st
 ### Best practices
 
 -   By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users.
--   If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account.
+-   If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to use the **Settings** app to add new connected accounts.
 
 ### Location
 
diff --git a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 6c96f4605e..0264785b4b 100644
--- a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: justinha
 ---
 
diff --git a/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index b9a0e71329..3f98b0d5f2 100644
--- a/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -24,11 +24,11 @@ This policy setting allows a client device to require the negotiation of 128-bit
 
 -   Require NTLMv2 session security
 
-    The connection fails if strong encryption (128-bit) is not negotiated.
+    The connection fails if the NTLMv2 protocol is not negotiated.
 
 -   Require 128-bit encryption
 
-    The connection fails if the NTLMv2 protocol is not negotiated.
+    The connection fails if strong encryption (128-bit) is not negotiated.
 
 ### Best practices
 
diff --git a/windows/device-security/security-policy-settings/security-options.md b/windows/device-security/security-policy-settings/security-options.md
index b4896738f7..e8cba42ee3 100644
--- a/windows/device-security/security-policy-settings/security-options.md
+++ b/windows/device-security/security-policy-settings/security-options.md
@@ -53,7 +53,8 @@ For info about setting security policies, see [Configure security policy setting
 | [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) |Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting.|
 |[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. |
 | [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. |
-| [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting.| 
+| [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display last signed-in** security policy setting.| 
+| [Interactive logon: Don't display username at sign-in](interactive-logon-dont-display-username-at-sign-in.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display username at sign-in** security policy setting.| 
 | [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting.| 
 | [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting.| 
 | [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)| Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting.| 
diff --git a/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index 348aa4eb2d..16ed671235 100644
--- a/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Shutdown: Clear virtual memory pagefile - security policy setting
+# Shutdown: Clear virtual memory pagefile 
 
 **Applies to**
 -   Windows 10
diff --git a/windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index 2d68063ec7..18de1ae022 100644
--- a/windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
+ms.date: 08/29/2017
 ---
 
 # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
@@ -32,7 +33,7 @@ For the EFS service, this policy setting supports the 3DES and Advanced Encrypti
 
 **Remote Desktop Services (RDS)**
 
-For encrypting Remote Desktop Services network communication, this policy setting supports only the Triple DES encryption algorithm.
+If you're using Remote Desktop Services, this policy setting should only be enabled if the 3DES encryption algorithm is supported.
 
 **BitLocker**
 
diff --git a/windows/device-security/tpm/how-windows-uses-the-tpm.md b/windows/device-security/tpm/how-windows-uses-the-tpm.md
new file mode 100644
index 0000000000..88f2a9f786
--- /dev/null
+++ b/windows/device-security/tpm/how-windows-uses-the-tpm.md
@@ -0,0 +1,159 @@
+---
+title: How Windows uses the TPM
+description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security.
+ms.assetid: 0f7e779c-bd25-42a8-b8c1-69dfb54d0c7f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# How Windows 10 uses the Trusted Platform Module
+
+The Windows 10 operating system improves most existing security features in the operating system and adds groundbreaking new security features such as Device Guard and Windows Hello for Business. It places hardware-based security deeper inside the operating system than previous Windows versions had done, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows 10 makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows 10—as well as the cumulative security impact of running Windows 10 on a PC that contains a TPM.
+
+
+**See also:**
+
+   - [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) 
+
+   - [TPM Fundamentals](tpm-fundamentals.md)
+
+   - [TPM Recommendations](tpm-recommendations.md) 
+
+## TPM Overview
+
+The TPM is a cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security. The TPM helps with all these scenarios and more.
+
+Historically, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features.
+
+The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
+
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly cannot leave the TPM*.
+
+The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not.
+
+Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine your organization’s security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
+
+## TPM in Windows 10
+
+The security features of Windows 10 combined with the benefits of a TPM offer practical security and privacy benefits. The following sections start with major TPM-related security features in Windows 10 and go on to describe how key technologies use the TPM to enable or increase security.
+
+## Platform Crypto Provider
+
+Windows includes a cryptography framework called *Cryptographic API: Next Generation* (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
+
+Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
+
+The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively:
+
+•	**Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making additional copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
+
+•	**Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
+
+These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows 10 device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could simply prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically.
+
+## Virtual Smart Card
+
+Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card’s certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers.
+
+In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes “something the user has” but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM’s dictionary attack protection to prevent too many PIN guesses.
+
+For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
+
+## Windows Hello for Business 
+
+Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, user name - password solutions for authentication often reuse the same user name – password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places. Windows Hello for Business provisions devices one by one and combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
+
+The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](http://go.microsoft.com/fwlink/p/?LinkId=533889).
+
+Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
+
+•	**Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that that manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
+
+•	**Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. 
+
+![TPM Capabilities](images/tpm-capabilities.png)
+
+*Figure 1:  TPM Cryptographic Key Management*
+
+For Windows Hello for Business, Microsoft can fill the role of the identity CA. Microsoft services can issue an attestation identity key certificate for each device, user, and identify provider to ensure that privacy is protected and to help identity providers ensure that device TPM requirements are met before Windows Hello for Business credentials are provisioned.
+
+## BitLocker Drive Encryption
+
+BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without additional protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data.
+
+In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
+
+•	**Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
+
+•	**Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key in Active Directory Domain Services (AD DS).
+
+Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
+
+Newer hardware and Windows 10 work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot.
+
+## Device Encryption
+
+Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets InstantGo hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The InstantGo hardware requirements inform Windows 10 that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, InstantGo hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.    
+
+For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data.
+
+## Measured Boot
+
+Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system. In previous Windows versions, the measurement chain stopped at the Windows Boot Manager component itself, and the measurements in the TPM were not helpful for understanding the starting state of Windows.
+
+The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
+
+Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system’s starting state to determine whether the running operating system should be trusted.
+
+TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used. Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware.
+
+The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot:
+
+•	**Remote Attestation**.  Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows 10 can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process.
+
+When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.    
+
+![Process to Create Evidence of Boot Software and Configuration Using TPM](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png)
+
+*Figure 2:  Process used to create evidence of boot software and configuration using a TPM*
+
+
+## Health Attestation
+
+Some Windows 10 improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health.
+
+Mobile device management (MDM) solutions can receive simple security assertions from the Microsoft Health Attestation service for a client without having to deal with the complexity of the quote or the detailed TPM measurements. MDM solutions can act on the security information by quarantining unhealthy devices or blocking access to cloud services such as Microsoft Office 365.
+
+## Credential Guard
+
+Credential Guard is a new feature in Windows 10 that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user’s credentials (e.g., logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass the hash” attack, a malware technique that infects one machine to infect many machines across an organization.
+
+Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
+
+The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows 10.
+
+## Conclusion
+
+The TPM adds hardware-based security benefits to Windows 10. When installed on hardware that includes a TPM, Window 10 delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features.
+
+                        
+|Feature | Benefits when used on a system with a TPM|
+|---|---|
+| Platform Crypto Provider |  •  &nbsp; &nbsp; If the machine is compromised, the private key associated with the certificate cannot be copied off the device.<br />•	   &nbsp; &nbsp;  The TPM’s dictionary attack mechanism protects PIN values to use a certificate. 
+| Virtual Smart Card | 	•  &nbsp; &nbsp; Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.|
+| Windows Hello for Business | 	•  &nbsp; &nbsp; Credentials provisioned on a device cannot be copied elsewhere.  <br /> •	     &nbsp; &nbsp; Confirm a device’s TPM before credentials are provisioned. |
+| BitLocker Drive Encryption | 	•  &nbsp; &nbsp; Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
+|Device Encryption | 	• &nbsp; &nbsp; With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.
+| Measured Boot | 	•  &nbsp; &nbsp; A hardware root of trust contains boot measurements that help detect malware during remote attestation.
+| Health Attestation | 	•  &nbsp; &nbsp; MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.
+| Credential Guard | 	•  &nbsp; &nbsp; Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
+
+<br />
+
+Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows 10 security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/iotcore).  IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements.
\ No newline at end of file
diff --git a/windows/device-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png b/windows/device-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png
new file mode 100644
index 0000000000..64eb88ebe7
Binary files /dev/null and b/windows/device-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png differ
diff --git a/windows/device-security/tpm/images/tpm-capabilities.png b/windows/device-security/tpm/images/tpm-capabilities.png
new file mode 100644
index 0000000000..b10c66b27c
Binary files /dev/null and b/windows/device-security/tpm/images/tpm-capabilities.png differ
diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md
index d0283a1020..7c44d3803e 100644
--- a/windows/device-security/tpm/tpm-recommendations.md
+++ b/windows/device-security/tpm/tpm-recommendations.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -105,10 +105,10 @@ The following table defines which Windows features require TPM support.
 | Passport: Domain AADJ Join                   | Required                 | Required                 | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support.  |
 | Passport: MSA or Local Account               | Required                 | Required                 | TPM 2.0 is required with HMAC and EK certificate for key attestation support.      |
 | Device Encryption                            | Not Applicable           | Required                 | TPM 2.0 is required for all InstantGo devices.                |
-| Device Guard / Configurable Code Integrity   | See next column          | Recommended              |                    |
+| Device Guard / Configurable Code Integrity   | Not Applicable          | Required              | Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.                   |
 | Credential Guard                             | Required                 | Required                 | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM.   |
 | Device Health Attestation                    | Required                 | Required                 |                    |
-| Windows Hello                                | Not Required             | Recommended              |                    |
+| Windows Hello / Windows Hello for Business   | Not Required             | Recommended              | Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. [How keys are protected](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-how-it-works#how-keys-are-protected)                   |
 | UEFI Secure Boot                             | Not Required             | Recommended              |                    |
 | Platform Key Storage provider                | Required                 | Required                 |                    |
 | Virtual Smart Card                           | Required                 | Required                 |                    |
diff --git a/windows/device-security/tpm/trusted-platform-module-overview.md b/windows/device-security/tpm/trusted-platform-module-overview.md
index ba05130ce1..119ebafb02 100644
--- a/windows/device-security/tpm/trusted-platform-module-overview.md
+++ b/windows/device-security/tpm/trusted-platform-module-overview.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
index 8203714148..a666d3e71e 100644
--- a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -1,6 +1,6 @@
 ---
 title: TPM Group Policy settings (Windows 10)
-description: This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
+description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -15,22 +15,15 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
+This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 
-The TPM Services Group Policy settings are located at:
+The Group Policy settings for TPM services are located at:
 
 **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
 
-### Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0
+The following Group Policy settings were introduced in Window 10:
 
-Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if: a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607, and b) the System has a TPM 2.0. 
-
-Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to: 
-a) disable it from group policy and b) clear the TPM on the system.
-
-**The following Group Policy settings were introduced in Window 10:**
-
-### Configure the list of blocked TPM commands
+## Configure the list of blocked TPM commands
 
 This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows.
 
@@ -48,7 +41,7 @@ For information how to enforce or ignore the default and local lists of blocked
 
 -   [Ignore the local list of blocked TPM commands](#ignore-the-local-list-of-blocked-tpm-commands)
 
-### Ignore the default list of blocked TPM commands
+## Ignore the default list of blocked TPM commands
 
 This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.
 
@@ -58,7 +51,7 @@ If you enable this policy setting, the Windows operating system will ignore the
 
 If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands.
 
-### Ignore the local list of blocked TPM commands
+## Ignore the local list of blocked TPM commands
 
 This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
 
@@ -68,7 +61,7 @@ If you enable this policy setting, the Windows operating system will ignore the
 
 If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands.
 
-### Configure the level of TPM owner authorization information available to the operating system
+## Configure the level of TPM owner authorization information available to the operating system
 
 This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password.
 
@@ -106,7 +99,7 @@ If you enable this policy setting, the Windows operating system will store the T
 If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not
 configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
 
-### Standard User Lockout Duration
+## Standard User Lockout Duration
 
 This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require
 authorization to the TPM.
@@ -125,7 +118,7 @@ An administrator with the TPM owner password can fully reset the TPM's hardware
 
 If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used.
 
-### Standard User Individual Lockout Threshold
+## Standard User Individual Lockout Threshold
 
 This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
 
@@ -137,7 +130,7 @@ An administrator with the TPM owner password can fully reset the TPM's hardware
 
 If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
 
-### Standard User Total Lockout Threshold
+## Standard User Total Lockout Threshold
 
 This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration that is set for the **Standard User Lockout Duration** policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
 
@@ -156,6 +149,21 @@ If you enable this policy setting, TPM owner information will be automatically a
 
 If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.
 
+## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0
+
+Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. 
+
+> [!IMPORTANT]
+> Setting this policy will take effect only if:  
+-   The TPM was originally prepared using a version of Windows after Windows 10 Version 1607
+-   The system has a TPM 2.0. 
+
+> [!NOTE]
+> Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only ways for the disabled setting of this policy to take effect on a system where it was once enabled are to either:
+> -  Disable it from group policy
+> -  Clear the TPM on the system
+
+
 ## Related topics
 
 - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
diff --git a/windows/device-security/tpm/trusted-platform-module-top-node.md b/windows/device-security/tpm/trusted-platform-module-top-node.md
index ad6428c661..f7ef7a4b61 100644
--- a/windows/device-security/tpm/trusted-platform-module-top-node.md
+++ b/windows/device-security/tpm/trusted-platform-module-top-node.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/windows-10-mobile-security-guide.md b/windows/device-security/windows-10-mobile-security-guide.md
index 85ff61bf41..207c463b85 100644
--- a/windows/device-security/windows-10-mobile-security-guide.md
+++ b/windows/device-security/windows-10-mobile-security-guide.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security, mobile
-localizationpriority: high
+ms.localizationpriority: high
 author: AMeeus
 ---
 # Windows 10 Mobile security guide
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 7ebbf52bf3..200db0cd98 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -3,7 +3,7 @@ title: Windows 10 and Windows 10 Mobile (Windows 10)
 description: Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
 ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ms.mktglfcycl: deploy
 ms.sitesec: library
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index 9714c77347..c3b5a294aa 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -6,17 +6,20 @@
 ### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
 ### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
 ### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-#### [Configure endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
+#### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
 ##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
 ##### [Configure endpoints using System Security Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
 ##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
 ###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
 ##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
-#### [Configure proxy and Internet settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+#### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 ### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
 ### [Use the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
-#### [View the Dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
+#### [View the Security analytics dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
 #### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md)
 #### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md)
 ##### [Alert process tree](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree)
@@ -27,17 +30,22 @@
 #### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
 #### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
 #### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
-##### [Search for specific alerts](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts)
-##### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-##### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-##### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+###### [Search for specific events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
 #### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
 #### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
 #### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
 ##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+###### [Manage machine group and tags](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
+###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restict-app-execution)
 ###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
 ###### [Undo machine isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
-###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
 ###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
 ##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md)
 ###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
@@ -63,6 +71,46 @@
 #### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
 #### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
+#### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
+##### Actor
+###### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md)
+###### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+##### Alerts
+###### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+##### Domain
+######  [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md)
+###### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+##### File
+###### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md)
+###### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md)
+##### IP
+###### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md)
+###### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+##### Machines
+###### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
+###### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+###### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+##### User
+###### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+###### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md)
+###### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md)
+### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
 ### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
 #### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
 ##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
@@ -74,17 +122,23 @@
 #### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
 #### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
 #### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
 ### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
 ### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
 ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
 ### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
 ### [Windows Defender Antivirus compatibility](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
-
 ##	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
 ### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
-### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
-### [Windows Defender Antivirus and Advanced Threat Protection: Better together](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+
+### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+
+### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+
+
 ### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+
+
 ### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
 #### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
 ##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
@@ -95,6 +149,8 @@
 ##### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
 ##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
 ##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+
 ### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
 #### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
 ##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
@@ -109,6 +165,8 @@
 ##### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
 ##### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
 ##### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
+
+
 ### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
 #### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
 ##### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
@@ -120,19 +178,63 @@
 #### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
 #### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
 #### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+
+
 ### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+
+
+
 ### [Reference topics for management and configuration tools](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
 #### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
 #### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
 #### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
 #### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
 #### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+
+
+
+## [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
+### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
+#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+#### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
+
+### [Exploit Protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
+#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
+#### [Evaluate Exploit Protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
+#### [Enable Exploit Protection](windows-defender-exploit-guard\enable-exploit-protection.md)
+#### [Customize Exploit Protection](windows-defender-exploit-guard\customize-exploit-protection.md)
+##### [Import, export, and deploy Exploit Protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md)
+### [Attack Surface Reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
+#### [Evaluate Attack Surface Reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
+#### [Enable Attack Surface Reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
+#### [Customize Attack Surface Reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
+### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
+#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
+#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
+### [Controlled Folder Access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
+#### [Evaluate Controlled Folder Access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
+#### [Enable Controlled Folder Access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
+#### [Customize Controlled Folder Access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
+
+
+
+
+
+
 ## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
 ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
 ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
+
+##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md)
+###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md)
+###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md)
+###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md)
+###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md)
+###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md)
+
 ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
 ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md)
-#### [Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
+#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
 ##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md)
 ##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
 #### [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
@@ -150,10 +252,17 @@
 #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md)
 #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md)
 #### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
+
 ## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
+
 ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
+
 ## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md)
-## [Secure the windows 10 boot process](secure-the-windows-10-boot-process.md)
+
+## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)
+
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
+
 ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-## [Change history for Threat Protection](change-history-for-threat-protection.md)
\ No newline at end of file
+
+## [Change history for Threat Protection](change-history-for-threat-protection.md)
diff --git a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
index 8343d2c59e..ebec2a5082 100644
--- a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -8,10 +8,13 @@ ms.mktglfcycl: deploy
 ms.pagetype: security
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.author: lizross
+ms.date: 08/14/2017
+ms.localizationpriority: high
 ---
 
 # Block untrusted fonts in an enterprise
+
 **Applies to:**
 
 -   Windows 10
@@ -46,19 +49,44 @@ After you turn this feature on, your employees might experience reduced function
 -   Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.
 
 ## Turn on and use the Blocking Untrusted Fonts feature
+Use Group Policy or the registry to turn this feature on, off, or to use audit mode.
+
+**To turn on and use the Blocking Untrusted Fonts feature through Group Policy**
+1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`.
+
+2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**:
+
+    - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. 
+
+    - **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log.
+
+    - **Log events without blocking untrusted fonts**. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts.
+
+3. Click **OK**.
+
+**To turn on and use the Blocking Untrusted Fonts feature through the registry**
 To turn this feature on, off, or to use audit mode:
 
 1.  Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`.
 
 2.  If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.
 
-3.  Update the **Value data** of the **MitigationOptions** key, making sure you keep your existing value, like in the important note below:
+3. Right click on the **MitigationOptions** key, and then click **Modify**. 
+
+    The **Edit QWORD (64-bit) Value** box opens.
+
+4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below:
 
     -   **To turn this feature on.** Type **1000000000000**.
-    -   **To turn this feature off.** Type **2000000000000**.
-    -   **To audit with this feature.** Type **3000000000000**.<p>**Important**<br>Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
 
-4.  Restart your computer.
+    -   **To turn this feature off.** Type **2000000000000**.
+
+    -   **To audit with this feature.** Type **3000000000000**.
+
+    >[!Important]
+    >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
+
+4. Restart your computer.
 
 ## View the event log
 After you turn this feature on, or start using Audit mode, you can look at your event logs for details.
@@ -68,27 +96,33 @@ After you turn this feature on, or start using Audit mode, you can look at your
 1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**.
 
 2. Scroll down to **EventID: 260** and review the relevant events.
-<p>
-**Event Example 1 - MS Word**<br>
-WINWORD.EXE attempted loading a font that is restricted by font loading policy.<br>
-FontType: Memory<br>
-FontPath:<br>
-Blocked: true<p>
-**Note**<br>Because the **FontType** is *Memory*, there’s no associated **FontPath.**
-<p>
-**Event Example 2 - Winlogon**<br>
-Winlogon.exe attempted loading a font that is restricted by font loading policy.<br>
-FontType: File<br>
-FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
-Blocked: true<p>
-**Note**<br>Because the **FontType** is *File*, there’s also an associated **FontPath.**
-<p>
-**Event Example 3 - Internet Explorer running in Audit mode**<br>
-Iexplore.exe attempted loading a font that is restricted by font loading policy.<br>
-FontType: Memory<br>
-FontPath:<br>
-Blocked: false<p>
-**Note**<br>In Audit mode, the problem is recorded, but the font isn’t blocked.
+
+    **Event Example 1 - MS Word**<br>
+    WINWORD.EXE attempted loading a font that is restricted by font-loading policy.<br>
+    FontType: Memory<br>
+    FontPath:<br>
+    Blocked: true
+    
+    >[!NOTE]
+    >Because the **FontType** is *Memory*, there’s no associated **FontPath**.
+
+    **Event Example 2 - Winlogon**<br>
+    Winlogon.exe attempted loading a font that is restricted by font-loading policy.<br>
+    FontType: File<br>
+    FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
+    Blocked: true
+    
+    >[!NOTE]
+    >Because the **FontType** is *File*, there’s also an associated **FontPath**.
+
+    **Event Example 3 - Internet Explorer running in Audit mode**<br>
+    Iexplore.exe attempted loading a font that is restricted by font-loading policy.<br>
+    FontType: Memory<br>
+    FontPath:<br>
+    Blocked: false
+    
+    >[!NOTE]
+    >In Audit mode, the problem is recorded, but the font isn’t blocked.
 
 ## Fix apps having problems because of blocked fonts
 Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems.
@@ -101,12 +135,14 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa
 
 **To fix your apps by excluding processes**
 
-1.  On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
+1.  On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`.<br><br>For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
 
-2.  Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature).
+2.  Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.
 
  
+## Related content
 
+- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/)
  
 
 
diff --git a/windows/threat-protection/change-history-for-threat-protection.md b/windows/threat-protection/change-history-for-threat-protection.md
index ee84b688ce..f89c5ecee5 100644
--- a/windows/threat-protection/change-history-for-threat-protection.md
+++ b/windows/threat-protection/change-history-for-threat-protection.md
@@ -14,18 +14,18 @@ This topic lists new and updated topics in the [Threat protection](index.md) doc
 ## June 2017
 |New or changed topic |Description |
 |---------------------|------------|
-| [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) | New | 
+|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) | New | 
 |[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
-[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
-[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
+|[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
+|[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
 |[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.|
-[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Updated from existing applicable and relevant Windows 8.1 content |
+|[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Updated from existing applicable and relevant Windows 8.1 content |
 
 
 ## March 2017
 |New or changed topic |Description |
 |---------------------|------------|
-||[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New |
+|[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New |
 |[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
 |[Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703.|
 |[Windows Defender SmartScreen overview](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)|New |
diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md
index 77a4201aad..a98bb34278 100644
--- a/windows/threat-protection/index.md
+++ b/windows/threat-protection/index.md
@@ -14,11 +14,15 @@ Learn more about how to help protect against threats in Windows 10 and Windows
 
 | Section | Description |
 |-|-|
-| [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) | Learn more about mitigating threats in Windows 10. |
-| [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. |
-| [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)| Provides information about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
-| [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)| Provides information about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
-|[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Learn more about how to help protect against potential corporate data leakage. |
-| [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) | Learn more about Windows Defender SmartScreen. |
-| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
-| [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
+|[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.|
+|[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
+|[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
+|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
+|[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
+|[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
+|[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|
+|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.|
+|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) |Learn about how hardware-based containers can isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.|
+|[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) |Learn about the Windows 10 security features that help to protect your PC from malware, including rootkits and other applications.|
+|[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) |Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
+|[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |Provides info about how to help protect your company from attacks which may originate from untrusted or attacker controlled font files. |
diff --git a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index a23616e9a6..e3f898afa0 100644
--- a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: justinha
 ---
 
diff --git a/windows/threat-protection/secure-the-windows-10-boot-process.md b/windows/threat-protection/secure-the-windows-10-boot-process.md
index 2f0931b1dc..83a8c454ed 100644
--- a/windows/threat-protection/secure-the-windows-10-boot-process.md
+++ b/windows/threat-protection/secure-the-windows-10-boot-process.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: Explore
 ms.pagetype: security
 ms.sitesec: library
-localizationpriority: medium
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 06/23/2017
 ---
diff --git a/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
index 6d73bea83b..4f4815d991 100644
--- a/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ b/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
@@ -7,7 +7,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index d3a3a91d2b..7e6a5244b8 100644
--- a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index edf44cdddc..7c7eed2793 100644
--- a/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Reference topics for management and configuration tools
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
index 18065e7b67..bc92d0c50e 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -8,8 +8,11 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+
 ---
 
 # Configure scanning options in Windows Defender AV
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index c0c0237884..5b30a1d8e3 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
index 09874321a0..ffae20dfe9 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Configure the cloud block timeout period
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
index 47b2f3f968..6843c1e01d 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Configure end-user interaction with Windows Defender Antivirus
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
index db1498b7bd..38c2c15f82 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
@@ -8,16 +8,19 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
-# Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans
+# Configure and validate exclusions for Windows Defender AV scans (client)
 
 
 **Applies to:**
 
 - Windows 10
+- Windows Server 2016
 
 **Audience**
 
@@ -39,6 +42,8 @@ The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defen
 
 Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization.
 
+Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender AV exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions.
+
 >[!WARNING]
 >Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index 3d78deccde..3ab8d056a6 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
 # Configure and validate exclusions based on file extension and folder location
@@ -18,6 +20,7 @@ author: iaanw
 **Applies to:**
 
 - Windows 10
+- Windows Server 2016
 
 **Audience**
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index 728b747ccb..885b929ee5 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Prevent or allow users to locally modify Windows Defender AV policy settings
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index e31e53a2bb..cc04c936e3 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Configure and validate network connections for Windows Defender Antivirus
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index a692199439..92cb4eab33 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Configure the notifications that appear on endpoints
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index 50dbbe12a6..bd0aa9f9ff 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
 # Configure exclusions for files opened by processes
@@ -17,6 +19,7 @@ author: iaanw
 **Applies to:**
 
 - Windows 10
+- Windows Server 2016
 
 **Audience**
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
index bf1f2f595e..882fec2cbe 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Configure behavioral, heuristic, and real-time protection
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index 677e0883be..2f73f17890 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
index b664d78cdf..3c3d477567 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index c293dd3358..033e1ba5fd 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -8,11 +8,13 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
-# Configure exclusions in Windows Defender AV on Windows Server 2016
+# Configure exclusions in Windows Defender AV on Windows Server
 
 
 **Applies to:**
@@ -30,14 +32,28 @@ author: iaanw
 - PowerShell
 - Windows Management Instrumentation (WMI)
 
-If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role.
+If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are automatically enrolled in certain exclusions, as defined by your specified Windows Server Role. A list of these exclusions is provided at [the end of this topic](#list-of-automatic-exclusions).
 
 These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
 
-You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other exclusion-related topics:
+You can still add or remove custom exclusions (in addition to the Server Role-defined automatic exclusions) as described in the other exclusion-related topics:
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
 
+Custom exclusions take precedence over the automatic exclusions.
+
+> [!TIP]
+> Custom and duplicate exclusions do not conflict with automatic exclusions.
+
+Windows Defender AV uses the Deployment Image Servicing and Management (DSIM) tools to determine which roles are installed on your computer.
+
+
+## Opt out of automatic exclusions
+
+In Windows Server 2016 the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt-out of the automatic exclusions delivered in definition updates.
+
+> [!WARNING]
+> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles.
 
 You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
 
@@ -58,7 +74,7 @@ You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets,
 Use the following cmdlets:
 
 ```PowerShell
-Set-MpPreference -DisableAutoExclusions
+Set-MpPreference -DisableAutoExclusions $true
 ```
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
@@ -75,9 +91,312 @@ See the following for more information and allowed parameters:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
 
+
+
+
+## List of automatic exclusions
+The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
+
+### Default exclusions for all roles
+This section lists the default exclusions for all Windows Server 2016 roles.
+
+-   Windows "temp.edb" files:
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
+
+    -   *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
+
+-   Windows Update files or Automatic Update files:
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
+
+-   Windows Security files:
+
+    -   *%windir%*\Security\database\\*.chk
+
+    -   *%windir%*\Security\database\\*.edb
+
+    -   *%windir%*\Security\database\\*.jrs
+
+    -   *%windir%*\Security\database\\*.log
+
+    -   *%windir%*\Security\database\\*.sdb
+
+-   Group Policy files:
+
+    -   *%allusersprofile%*\NTUser.pol
+
+    -   *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
+
+    -   *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
+
+-   WINS files:
+
+    -   *%systemroot%*\System32\Wins\\*\\\*.chk
+
+    -   *%systemroot%*\System32\Wins\\*\\\*.log
+
+    -   *%systemroot%*\System32\Wins\\*\\\*.mdb
+
+    -   *%systemroot%*\System32\LogFiles\
+
+    -   *%systemroot%*\SysWow64\LogFiles\
+
+-   File Replication Service (FRS) exclusions:
+
+    -   Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
+
+        -   *%windir%*\Ntfrs\jet\sys\\*\edb.chk
+
+        -   *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
+
+        -   *%windir%*\Ntfrs\jet\log\\*\\\*.log
+
+    -   FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
+
+        -   *%windir%*\Ntfrs\\*\Edb\*.log
+
+    -   The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
+
+        -   *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
+
+    -   The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
+
+        -   *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
+
+    -   The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
+
+        -   *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
+
+        -   *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\*.XML
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
+
+        -   *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\*.frx
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\*.log
+
+        -   *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
+
+        -   *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
+
+-   Process exclusions
+
+    -   *%systemroot%*\System32\dfsr.exe
+
+    -   *%systemroot%*\System32\dfsrs.exe
+
+-   Hyper-V exclusions:
+
+    -   This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
+
+        -   File type exclusions:
+
+            -   *.vhd
+
+            -   *.vhdx
+
+            -   *.avhd
+
+            -   *.avhdx
+
+            -   *.vsv
+
+            -   *.iso
+
+            -   *.rct
+
+            -   *.vmcx
+
+            -   *.vmrs
+
+        -   Folder exclusions:
+
+            -   *%ProgramData%*\Microsoft\Windows\Hyper-V
+
+            -   *%ProgramFiles%*\Hyper-V
+
+            -   *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
+
+            -   *%Public%*\Documents\Hyper-V\Virtual Hard Disks
+
+        -   Process exclusions:
+
+            -   *%systemroot%*\System32\Vmms.exe
+
+            -   *%systemroot%*\System32\Vmwp.exe
+
+-   SYSVOL files:
+
+    -   *%systemroot%*\Sysvol\Domain\\*.adm
+
+    -   *%systemroot%*\Sysvol\Domain\\*.admx
+
+    -   *%systemroot%*\Sysvol\Domain\\*.adml
+
+    -   *%systemroot%*\Sysvol\Domain\Registry.pol
+
+    -   *%systemroot%*\Sysvol\Domain\\*.aas
+
+    -   *%systemroot%*\Sysvol\Domain\\*.inf
+
+    -   *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
+
+    -   *%systemroot%*\Sysvol\Domain\\*.ins
+
+    -   *%systemroot%*\Sysvol\Domain\Oscfilter.ini
+
+### Active Directory exclusions
+This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
+
+-   NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
+
+    -   %windir%\Ntds\ntds.dit
+
+    -   %windir%\Ntds\ntds.pat
+
+-   The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
+
+    -   %windir%\Ntds\EDB*.log
+
+    -   %windir%\Ntds\Res*.log
+
+    -   %windir%\Ntds\Edb*.jrs
+
+    -   %windir%\Ntds\Ntds*.pat
+
+    -   %windir%\Ntds\EDB*.log
+
+    -   %windir%\Ntds\TEMP.edb
+
+-   The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
+
+    -   %windir%\Ntds\Temp.edb
+
+    -   %windir%\Ntds\Edb.chk
+
+-   Process exclusions for AD DS and AD DS-related support files:
+
+    -   %systemroot%\System32\ntfrs.exe
+
+    -   %systemroot%\System32\lsass.exe
+
+### DHCP Server exclusions
+This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.mdb
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.pat
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.log
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.chk
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.edb
+
+### DNS Server exclusions
+This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
+
+-   File and folder exclusions for the DNS Server role:
+
+    -   *%systemroot%*\System32\Dns\\*\\\*.log
+
+    -   *%systemroot%*\System32\Dns\\*\\\*.dns
+
+    -   *%systemroot%*\System32\Dns\\*\\\*.scc
+
+    -   *%systemroot%*\System32\Dns\\*\BOOT
+
+-   Process exclusions for the DNS Server role:
+
+    -   *%systemroot%*\System32\dns.exe
+
+    
+
+### File and Storage Services exclusions
+This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
+
+-   *%SystemDrive%*\ClusterStorage
+
+-   *%clusterserviceaccount%*\Local Settings\Temp
+
+-   *%SystemDrive%*\mscs
+
+### Print Server exclusions
+This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
+
+-   File type exclusions:
+
+    -   *.shd
+
+    -   *.spl
+
+-   Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
+
+    -   *%system32%*\spool\printers\\*
+
+-   Process exclusions:
+
+    -   spoolsv.exe
+
+### Web Server exclusions
+This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
+
+-   Folder exclusions:
+
+    -   *%SystemRoot%*\IIS Temporary Compressed Files
+
+    -   *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
+
+    -   *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
+
+    -   *%systemDrive%*\inetpub\logs
+
+    -   *%systemDrive%*\inetpub\wwwroot
+
+-   Process exclusions:
+
+    -   *%SystemRoot%*\system32\inetsrv\w3wp.exe
+
+    -   *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
+
+    -   *%SystemDrive%*\PHP5433\php-cgi.exe
+
+### Windows Server Update Services exclusions
+This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
+
+-   *%systemroot%*\WSUS\WSUSContent
+
+-   *%systemroot%*\WSUS\UpdateServicesDBFiles
+
+-   *%systemroot%*\SoftwareDistribution\Datastore
+
+-   *%systemroot%*\SoftwareDistribution\Download
+
+
+
+
 ## Related topics
 
-- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
 - [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
index 5ba96c2e65..315e1bc411 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Configure Windows Defender Antivirus features
diff --git a/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index fb622e18eb..98b3c9615d 100644
--- a/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Customize, initiate, and review the results of Windows Defender AV scans and remediation
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index 1c76376a0b..02fb05242b 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Deploy, manage, and report on Windows Defender Antivirus
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
index 0f51f5cf85..adf719ad5b 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Deploy and enable Windows Defender Antivirus
diff --git a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 29c80abf0c..e33ddf160c 100644
--- a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
diff --git a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 296bbd7013..c0f1e340b7 100644
--- a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: detect
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Detect and block Potentially Unwanted Applications
diff --git a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 4057fe4655..a997f2b43b 100644
--- a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Enable cloud-delivered protection in Windows Defender AV
diff --git a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
index 4f51b16a7a..ebc5c3cbc4 100644
--- a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Evaluate Windows Defender Antivirus protection
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
index 9726dfceba..201de035c2 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Manage event-based forced updates
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
index 32920b478d..bf8666ecc1 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Manage updates and scans for endpoints that are out of date
@@ -92,7 +94,7 @@ See the following for more information and allowed parameters:
 
 ## Set the number of days before protection is reported as out-of-date
 
-You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)).
+You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
 
 **Use Group Policy to specify the number of days before protection is considered out-of-date:**
 
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
index feffc5c8b6..06ac450ee6 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Manage the schedule for when protection updates should be downloaded and applied
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index 751a8801d2..554e426b6d 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Manage the sources for Windows Defender Antivirus protection updates
@@ -63,7 +65,11 @@ The older the updates on an endpoint, the larger the download. However, you must
 
 Microsoft Update allows for rapid releases, which means it will download small deltas on a frequent basis. This ensures the best protection, but may increase network bandwidth.
 
-The WSUS, Configuration Manager and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger).
+The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger).
+
+> [!IMPORTANT]
+> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services).
+> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
 
 Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
 
@@ -73,7 +79,7 @@ WSUS | You are using WSUS to manage updates for your network.
 Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use WSUS to manage your updates.
 File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.
 Configuration Manager | You are using System Center Configuration Manager to update your endpoints.
-MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source.
+MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from WSUS or Microsoft Update for [a specified number of days](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
   
     
 You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 89be197b89..77c6833644 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Manage Windows Defender Antivirus updates and apply baselines
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
index b54cfd7521..638419e42b 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Manage updates for mobile devices and virtual machines (VMs)
diff --git a/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
index ce95481ff2..0c2af7f269 100644
--- a/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Prevent users from seeing or interacting with the Windows Defender AV user interface
diff --git a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
index dda75ed42a..ba5043b800 100644
--- a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Report on Windows Defender Antivirus protection
diff --git a/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
index 63d6ce419e..90bc57e8a3 100644
--- a/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Review Windows Defender AV scan results
diff --git a/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index 4e29084ea1..e4f58850f2 100644
--- a/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index a4826a52ae..deb05534d1 100644
--- a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
index 321924a398..8a1f3a3a08 100644
--- a/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Specify the cloud-delivered protection level
diff --git a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index cd2c6ccda5..603cf37adf 100644
--- a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
 # Review event logs and error codes to troubleshoot issues with Windows Defender AV
@@ -17,6 +19,7 @@ author: iaanw
 
 **Applies to**
 -   Windows 10
+-   Windows Server 2016
 
 **Audience**
 
@@ -27,55 +30,58 @@ If you encounter a problem with Windows Defender Antivirus, you can search the t
 
 The tables list:
 
-- [Windows Defender AV client event IDs](#windows-defender-av-ids)
+- [Windows Defender AV event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
 - [Windows Defender AV client error codes](#error-codes)
 - [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes)
 
 
 <a id="windows-defender-av-ids"></a>
-## Windows Defender AV client event IDs
+## Windows Defender AV event IDs
 
 Windows Defender AV records event IDs in the Windows event log.
 
-You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume the events to review specific events and errors from your endpoints.
+You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
 
-The table in this section lists the main Windows Defender AV client event IDs and, where possible, provides suggested solutions to fix or resolve the error. 
+The table in this section lists the main Windows Defender AV event IDs and, where possible, provides suggested solutions to fix or resolve the error. 
 
-**View a Windows Defender AV client event**
+**To view a Windows Defender AV event**
 
 1.  Open **Event Viewer**.
-2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
+2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**.
 3.  Double-click on **Operational**.
 4.  In the details pane, view the list of individual events to find your event.
 5.  Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
 
 
 
-<table>
-<tr valign="top">
-<td valign="top" rowspan="3" ><b>Event ID: 1000</b></td>
+
+<style type='text/css'> table.oridealign td,th { vertical-align: top; text-align: left; } </style>
+ <table class="oridealign"> 
+<tr>
+<th colspan="2" >Event ID: 1000</th>
+</tr>
+<tr>
 <td>
-<p>Symbolic name:</p>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_STARTED</b></p>
+<td>
+<b>MALWAREPROTECTION_SCAN_STARTED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>An antimalware scan started.
-</b></p>
+<td >
+<b>An antimalware scan started.
+</b>
 </td>
 </tr>
 <tr>
-<td>
-<p>Description:</p>
+<td >
+Description:
 </td>
-<td colspan="2">
-<p>
+<td >
 <dl>
 <dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
 <dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
@@ -93,32 +99,31 @@ The table in this section lists the main Windows Defender AV client event IDs an
 <dt>Scan Resources: &lt;Resources (such as files/directories/BHO) that were scanned.&gt;</dt>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1001</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1001</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_COMPLETED</b></p>
+<td >
+<b>MALWAREPROTECTION_SCAN_COMPLETED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>An antimalware scan finished.</b></p>
+<td >
+<b>An antimalware scan finished.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
+<td >
 <dl>
 <dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
 <dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
@@ -136,34 +141,33 @@ The table in this section lists the main Windows Defender AV client event IDs an
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 <dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1002</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1002</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_CANCELLED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SCAN_CANCELLED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>An antimalware scan was stopped before it finished.
-</b></p>
+<td >
+<b>An antimalware scan was stopped before it finished.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
+<td >
 <dl>
 <dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
 <dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
@@ -181,34 +185,33 @@ The table in this section lists the main Windows Defender AV client event IDs an
 <dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
 <dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1003</td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1003</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_PAUSED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SCAN_PAUSED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>An antimalware scan was paused.
-</b></p>
+<td >
+<b>An antimalware scan was paused.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
+<td >
 <dl>
 <dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
 <dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
@@ -225,34 +228,33 @@ The table in this section lists the main Windows Defender AV client event IDs an
 </dt>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1004</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1004</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_RESUMED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SCAN_RESUMED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>An antimalware scan was resumed.
-</b></p>
+<td >
+<b>An antimalware scan was resumed.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
+<td >
 <dl>
 <dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
 <dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
@@ -269,34 +271,33 @@ The table in this section lists the main Windows Defender AV client event IDs an
 </dt>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 1005</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1005</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SCAN_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>An antimalware scan failed. 
-</b></p>
+<td >
+<b>An antimalware scan failed. 
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
+<td >
 <dl>
 <dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
 <dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
@@ -317,52 +318,49 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>The Windows Defender AV client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
-</p>
-<p>To troubleshoot this event:
+<td >
+The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
+To troubleshoot this event:
 <ol>
 <li>Run the scan again.</li>
 <li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
 <li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
 </li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1006</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1006</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_DETECTED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_MALWARE_DETECTED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine found malware or other potentially unwanted software.
-</b></p>
+<td >
+<b>The antimalware engine found malware or other potentially unwanted software.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>For more information please see the following:</p>
+<td >
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -408,35 +406,34 @@ UAC</dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1007</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1007</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_ACTION_TAKEN
-</b></p>
+<td >
+<b>MALWAREPROTECTION_MALWARE_ACTION_TAKEN
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
-</b></p>
+<td >
+<b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:</p>
+<td >
+Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
 <dl>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 <dt>Name: &lt;Threat name&gt;</dt>
@@ -463,33 +460,32 @@ UAC</dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1008</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1008</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_ACTION_FAILED</b></p>
+<td >
+<b>MALWAREPROTECTION_MALWARE_ACTION_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.</b></p>
+<td >
+<b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:</p>
+<td >
+Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
 <dl>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 <dt>Name: &lt;Threat name&gt;</dt>
@@ -521,35 +517,34 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1009</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1009</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE
-</b></p>
+<td >
+<b>MALWAREPROTECTION_QUARANTINE_RESTORE
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform restored an item from quarantine.
-</b></p>
+<td >
+<b>The antimalware platform restored an item from quarantine.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has restored an item from quarantine. For more information please see the following:</p>
+<td >
+Windows Defender has restored an item from quarantine. For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -566,35 +561,34 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1010</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1010</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform could not restore an item from quarantine.
-</b></p>
+<td >
+<b>The antimalware platform could not restore an item from quarantine.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered an error trying to restore an item from quarantine. For more information please see the following:</p>
+<td >
+Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -615,35 +609,34 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1011</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1011</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_DELETE</b></p>
+<td >
+<b>MALWAREPROTECTION_QUARANTINE_DELETE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform deleted an item from quarantine.
-</b></p>
+<td >
+<b>The antimalware platform deleted an item from quarantine.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has deleted an item from quarantine.  
-For more information please see the following:</p>
+<td >
+Windows Defender has deleted an item from quarantine.  
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -660,35 +653,34 @@ For more information please see the following:</p>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1012</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1012</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform could not delete an item from quarantine.</b></p>
+<td >
+<b>The antimalware platform could not delete an item from quarantine.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered an error trying to delete an item from quarantine.  
-For more information please see the following:</p>
+<td >
+Windows Defender has encountered an error trying to delete an item from quarantine.
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -709,66 +701,64 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1013</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1013</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE
-</b></p>
+<td >
+<b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform deleted history of malware and other potentially unwanted software.</b></p>
+<td >
+<b>The antimalware platform deleted history of malware and other potentially unwanted software.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has removed history of malware and other potentially unwanted software.</p>
+<td >
+Windows Defender has removed history of malware and other potentially unwanted software.
 <dl>
 <dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1014</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1014</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p>The antimalware platform could not delete history of malware and other potentially unwanted software.</p>
+<td >
+The antimalware platform could not delete history of malware and other potentially unwanted software.
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered an error trying to remove history of malware and other potentially unwanted software.</p>
+<td >
+Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.
 <dl>
 <dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
@@ -777,35 +767,34 @@ Result code associated with threat status. Standard HRESULT values. </dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1015</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1015</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_BEHAVIOR_DETECTED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_BEHAVIOR_DETECTED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform detected suspicious behavior.</b></p>
+<td >
+<b>The antimalware platform detected suspicious behavior.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has detected a suspicious behavior.  
-For more information please see the following:</p>
+<td >
+Windows Defender has detected a suspicious behavior.  
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -856,35 +845,34 @@ UAC</dt>
 <dt>Target File Name: &lt;File name&gt;
 Name of the file.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 1116</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1116</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_DETECTED</b></p>
+<td >
+<b>MALWAREPROTECTION_STATE_MALWARE_DETECTED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform detected malware or other potentially unwanted software.
-</b></p>
+<td >
+<b>The antimalware platform detected malware or other potentially unwanted software.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has detected malware or other potentially unwanted software.  
-For more information please see the following:</p>
+<td >
+Windows Defender has detected malware or other potentially unwanted software.  
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -930,44 +918,43 @@ UAC</dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is required. Windows Defender AV can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender AV interface, click <b>Clean Computer</b>.</p>
+<td >
+No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click <b>Clean Computer</b>.
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 1117</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1117</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
-</b></p>
+<td >
+<b>MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
-</b></p>
+<td >
+<b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has taken action to protect this machine from malware or other potentially unwanted software.  
-For more information please see the following:</p>
+<td >
+Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.  
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -1027,8 +1014,8 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-<p>NOTE:
-<p>Whenever Windows Defender AV, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
+NOTE:
+Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
 <li>Default Internet Explorer or Microsoft Edge setting</li>
 <li>User Access Control settings</li>
 <li>Chrome settings</li>
@@ -1044,59 +1031,58 @@ The above context applies to the following client and server versions:
 </tr>
 <tr>
 <td>
-<p>Client Operating System </p>
+Client Operating System 
 </td>
 <td>
-<p>Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later</p>
+Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later
 </td>
 </tr>
 <tr>
 <td>
-<p>Server Operating System</p>
+Server Operating System
 </td>
 <td>
-<p>Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016</p>
+Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016
 </td>
 </tr>
 </table>
-</p>
 </dl>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is necessary. Windows Defender AV removed or quarantined a threat. </p>
+<td >
+No action is necessary. Windows Defender removed or quarantined a threat. 
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 1118</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1118</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED</b></p>
+<td >
+<b>MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
-</b></p>
+<td >
+<b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered a non-critical error when taking action on malware or other potentially unwanted software.  
-For more information please see the following:</p>
+<td >
+Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.  
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -1157,43 +1143,42 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is necessary. Windows Defender AV failed to complete a task related to the malware remediation. This is not a critical failure.</p>
+<td >
+No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 1119</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1119</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.</b></p>
+<td >
+<b>The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered a critical error when taking action on malware or other potentially unwanted software.  
-For more information please see the following:</p>
+<td >
+Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.  
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -1254,15 +1239,14 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>The Windows Defender AV client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.</p>
+<td >
+The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.
 <table>
 <tr>
 <th>Action</th>
@@ -1270,147 +1254,150 @@ Description of the error. </dt>
 </tr>
 <tr>
 <td>
-<p><b>Remove</b></p>
+<b>Remove</b>
 </td>
 <td>
-<p>Update the definitions then verify that the removal was successful.</p>
+Update the definitions then verify that the removal was successful.
 </td>
 </tr>
 <tr>
 <td>
-<p><b>Clean</b></p>
+<b>Clean</b>
 </td>
 <td>
-<p>Update the definitions then verify that the remediation was successful.</p>
+Update the definitions then verify that the remediation was successful.
 </td>
 </tr>
 <tr>
 <td>
-<p><b>Quarantine</b></p>
+<b>Quarantine</b>
 </td>
 <td>
-<p>Update the definitions and verify that the user has permission to access the necessary resources.</p>
+Update the definitions and verify that the user has permission to access the necessary resources.
 </td>
 </tr>
 <tr>
 <td>
-<p><b>Allow</b></p>
+<b>Allow</b>
 </td>
 <td>
-<p>Verify that the user has permission to access the necessary resources.</p>
+Verify that the user has permission to access the necessary resources.
 </td>
 </tr>
 </table>
-<p> </p>
-<p>If this event persists:<ol>
+ 
+If this event persists:<ol>
 <li>Run the scan again.</li>
 <li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
 <li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
 </li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 1120</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1120</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_THREAT_HASH</b></p>
+<td >
+<b>MALWAREPROTECTION_THREAT_HASH</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Windows Defender AV has deduced the hashes for a threat resource.</b></p>
+<td >
+<b>Windows Defender has deduced the hashes for a threat resource.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV client is up and running in a healthy state.</p>
+<td >
+Windows Defender client is up and running in a healthy state.
 <dl>
 <dt>Current Platform Version: &lt;Current platform version&gt;</dt>
 <dt>Threat Resource Path: &lt;Path&gt;</dt>
 <dt>Hashes: &lt;Hashes&gt;</dt>
 </dl>
-</p>
+</td>
+</tr>
+<tr>
+<td></td>
+<td >
 <div class="alert"><b>Note</b>  This event will only be logged if the following policy is set: <b>ThreatFileHashLogging 	unsigned</b>.</div>
+<div> </div>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 1150</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1150</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SERVICE_HEALTHY</b></p>
+<td >
+<b>MALWAREPROTECTION_SERVICE_HEALTHY</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
-</b></p>
+<td >
+<b>If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV client is up and running in a healthy state.</p>
+<td >
+Windows Defender client is up and running in a healthy state.
 <dl>
 <dt>Platform Version: &lt;Current platform version&gt;</dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender AV Antivirus client is in a healthy state. This event is reported on an hourly basis.</p>
+<td >
+No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 2000</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2000</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_UPDATED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_UPDATED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware definitions updated successfully.
-</b></p>
+<td >
+<b>The antimalware definitions updated successfully.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV signature version has been updated.</p>
+<td >
+Windows Defender signature version has been updated.
 <dl>
 <dt>Current Signature Version: &lt;Current signature version&gt;</dt>
 <dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
@@ -1426,42 +1413,41 @@ Description of the error. </dt>
 <dt>Current Engine Version: &lt;Current engine version&gt;</dt>
 <dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender AV client is in a healthy state. This event is reported when signatures are successfully updated.</p>
+<td >
+No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 2001</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2001</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware definition update failed. 
-</b></p>
+<td >
+<b>The antimalware definition update failed. 
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered an error trying to update signatures.</p>
+<td >
+Windows Defender has encountered an error trying to update signatures.
 <dl>
 <dt>New Signature Version: &lt;New version number&gt;</dt>
 <dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
@@ -1498,92 +1484,89 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>This error occurs when there is a problem updating definitions.</p>
-<p>To troubleshoot this event:
+<td >
+This error occurs when there is a problem updating definitions.
+To troubleshoot this event:
 <ol>
-<li>[Update the definitions](manage-updates-baselines-windows-defender-antivirus.md).</li>
+<li>[Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.</li>
 <li>Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.</li>
 <li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
 </li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 2002</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2002</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_UPDATED</b></p>
+<td >
+<b>MALWAREPROTECTION_ENGINE_UPDATED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine updated successfully.
-</b></p>
+<td >
+<b>The antimalware engine updated successfully.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV engine version has been updated.</p>
+<td >
+Windows Defender engine version has been updated.
 <dl>
 <dt>Current Engine Version: &lt;Current engine version&gt;</dt>
 <dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
 <dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender AV client is in a healthy state. This event is reported when the antimalware engine is successfully updated.</p>
+<td >
+No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 2003</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2003</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_UPDATE_FAILED</b></p>
+<td >
+<b>MALWAREPROTECTION_ENGINE_UPDATE_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine update failed.
-</b></p>
+<td >
+<b>The antimalware engine update failed.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered an error trying to update the engine.</p>
+<td >
+Windows Defender has encountered an error trying to update the engine.
 <dl>
 <dt>New Engine Version:</dt>
 <dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
@@ -1594,50 +1577,46 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>The Windows Defender AV client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.</p>
-<p>To troubleshoot this event:
-<p>
+<td >
+The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
+To troubleshoot this event:
 <ol>
-<li>[Update the definitions](manage-updates-baselines-windows-defender-antivirus.md).</li>
-<li>Run a full scan.</li>
-<li>Restart the device and try again.</li>
-<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>
+<li>[Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 2004</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2004</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_REVERSION</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_REVERSION</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.</b></p>
+<td >
+<b>There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.</p>
+<td >
+Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
 <dl>
 <dt>Signatures Attempted:</dt>
 <dt>Error Code: &lt;Error code&gt;
@@ -1647,83 +1626,80 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>The Windows Defender AV client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender AV will attempt to revert back to a known-good set of definitions.</p>
-<p>To troubleshoot this event:
+<td >
+The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.
+To troubleshoot this event:
 <ol>
 <li>Restart the computer and try again.</li>
 <li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.
 </li>
 <li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
 </li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 2005</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2005</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE</b></p>
+<td >
+<b>MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.</b></p>
+<td >
+<b>The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV could not load antimalware engine because current platform version is not supported. Windows Defender AV will revert back to the last known-good engine and a platform update will be attempted.</p>
+<td >
+Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.
 <dl>
 <dt>Current Platform Version: &lt;Current platform version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 2006</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2006</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The platform update failed.
-</b></p>
+<td >
+<b>The platform update failed.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered an error trying to update the platform.</p>
+<td >
+Windows Defender has encountered an error trying to update the platform.
 <dl>
 <dt>Current Platform Version: &lt;Current platform version&gt;</dt>
 <dt>Error Code: &lt;Error code&gt;
@@ -1731,65 +1707,63 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 2007</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2007</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE</b></p>
+<td >
+<b>MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.</b></p>
+<td >
+<b>The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender AV platform to maintain the best level of protection available.</p>
+<td >
+Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.
 <dl>
 <dt>Current Platform Version: &lt;Current platform version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 2010</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2010</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine used the Dynamic Signature Service to get additional definitions.
-</b></p>
+<td >
+<b>The antimalware engine used the Dynamic Signature Service to get additional definitions.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.</p>
+<td >
+Windows Defender used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.
 <dl>
 <dt>Current Signature Version: &lt;Current signature version&gt;</dt>
 <dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
@@ -1820,35 +1794,34 @@ Description of the error. </dt>
 </dt>
 <dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 2011</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2011</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The Dynamic Signature Service deleted the out-of-date dynamic definitions.
-</b></p>
+<td >
+<b>The Dynamic Signature Service deleted the out-of-date dynamic definitions.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV used <i>Dynamic Signature Service</i> to discard obsolete signatures.</p>
+<td >
+Windows Defender used <i>Dynamic Signature Service</i> to discard obsolete signatures.
 <dl>
 <dt>Current Signature Version: &lt;Current signature version&gt;</dt>
 <dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
@@ -1880,43 +1853,42 @@ Description of the error. </dt>
 </dt>
 <dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender AV client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.</p>
+<td >
+No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 2012</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2012</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
-</b></p>
+<td >
+<b>The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered an error trying to use <i>Dynamic Signature Service</i>.</p>
+<td >
+Windows Defender has encountered an error trying to use <i>Dynamic Signature Service</i>.
 <dl>
 <dt>Current Signature Version: &lt;Current signature version&gt;</dt>
 <dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
@@ -1951,109 +1923,106 @@ Description of the error. </dt>
 </dt>
 <dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>Check your Internet connectivity settings.</p>
+<td >
+Check your Internet connectivity settings.
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 2013</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2013</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The Dynamic Signature Service deleted all dynamic definitions.
-</b></p>
+<td >
+<b>The Dynamic Signature Service deleted all dynamic definitions.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV discarded all <i>Dynamic Signature Service</i> signatures.</p>
+<td >
+Windows Defender discarded all <i>Dynamic Signature Service</i> signatures.
 <dl>
 <dt>Current Signature Version: &lt;Current signature version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 2020</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2020</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine downloaded a clean file.
-</b></p>
+<td >
+<b>The antimalware engine downloaded a clean file.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV downloaded a clean file.</p>
+<td >
+Windows Defender downloaded a clean file.
 <dl>
 <dt>Filename: &lt;File name&gt;
 Name of the file.</dt>
 <dt>Current Signature Version: &lt;Current signature version&gt;</dt>
 <dt>Current Engine Version: &lt;Current engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 2021</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2021</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED</b></p>
+<td >
+<b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine failed to download a clean file.
-</b></p>
+<td >
+<b>The antimalware engine failed to download a clean file.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered an error trying to download a clean file.</p>
+<td >
+Windows Defender has encountered an error trying to download a clean file.
 <dl>
 <dt>Filename: &lt;File name&gt;
 Name of the file.</dt>
@@ -2064,185 +2033,185 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>Check your Internet connectivity settings.
-</p>
-<p>The Windows Defender AV client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. 
-</p>
+<td >
+Check your Internet connectivity settings.
+The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. 
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 2030</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2030</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED</b></p>
+<td >
+<b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine was downloaded and is configured to run offline on the next system restart.</b></p>
+<td >
+<b>The antimalware engine was downloaded and is configured to run offline on the next system restart.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>Windows Defender AV downloaded and configured Windows Defender Offline to run on the next reboot.</p>
+<td >
+Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 2031</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2031</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine was unable to download and configure an offline scan.</b></p>
+<td >
+<b>The antimalware engine was unable to download and configure an offline scan.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV has encountered an error trying to download and configure Windows Defender Offline.</p>
+<td >
+Windows Defender has encountered an error trying to download and configure Windows Defender Offline.
 <dl>
 <dt>Error Code: &lt;Error code&gt;
 Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 2040</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2040</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OS_EXPIRING
-</b></p>
+<td >
+<b>MALWAREPROTECTION_OS_EXPIRING
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Antimalware support for this operating system version will soon end.
-</b></p>
+<td >
+<b>Antimalware support for this operating system version will soon end.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>The support for your operating system will expire shortly. Running Windows Defender AV on an out of support operating system is not an adequate solution to protect against threats.</p>
+<td >
+The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 2041</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2041</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OS_EOL
-</b></p>
+<td >
+<b>MALWAREPROTECTION_OS_EOL
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
-</b></p>
+<td >
+<b>Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>The support for your operating system has expired. Running Windows Defender AV on an out of support operating system is not an adequate solution to protect against threats.</p>
+<td >
+The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 2042</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2042</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_PROTECTION_EOL
-</b></p>
+<td >
+<b>MALWAREPROTECTION_PROTECTION_EOL
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
-</b></p>
+<td >
+<b>The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>The support for your operating system has expired. Windows Defender AV is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.</p>
+<td >
+The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 3002</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 3002</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_FEATURE_FAILURE
-</b></p>
+<td >
+<b>MALWAREPROTECTION_RTP_FEATURE_FAILURE
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Real-time protection encountered an error and failed.</b></p>
+<td >
+<b>Real-time protection encountered an error and failed.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV real-time protection feature has encountered an error and failed.</p>
+<td >
+Windows Defender Real-Time Protection feature has encountered an error and failed.
 <dl>
 <dt>Feature: &lt;Feature&gt;, for example:
 <ul>
@@ -2256,49 +2225,45 @@ Description of the error. </dt>
 Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
-<dt>Reason: The reason Windows Defender AV real-time protection has restarted a feature.</dt>
+<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>You should restart the system then run a full scan because it's possible the system was not protected for some time.
-</p>
-<p>The Windows Defender AV client's real-time protection feature encountered an error because one of the services failed to start. 
-</p>
-<p>If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. 
-</p>
+<td >
+You should restart the system then run a full scan because it's possible the system was not protected for some time.
+The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start. 
+If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. 
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="4"><b>Event ID: 3007</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 3007</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_FEATURE_RECOVERED</b></p>
+<td >
+<b>MALWAREPROTECTION_RTP_FEATURE_RECOVERED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
-</b></p>
+<td >
+<b>Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV real-time protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.</p>
+<td >
+Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
 <dl>
 <dt>Feature: &lt;Feature&gt;, for example:
 <ul>
@@ -2308,98 +2273,99 @@ Description of the error. </dt>
 <li>Network Inspection System</li>
 </ul>
 </dt>
-<dt>Reason: The reason Windows Defender AV real-time protection has restarted a feature.</dt>
+<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>The real-time protection feature has restarted. If this event happens again, contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>. </p>
+<td >
+The real-time protection feature has restarted. If this event happens again, contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>. 
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 5000</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5000</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_ENABLED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_RTP_ENABLED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Real-time protection is enabled.
-</b></p>
+<td >
+<b>Real-time protection is enabled.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>Windows Defender AV real-time protection scanning for malware and other potentially unwanted software was enabled.</p>
+<td >
+Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 5001</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5001</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_DISABLED</b></p>
+<td >
+<b>MALWAREPROTECTION_RTP_DISABLED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Real-time protection is disabled.
-</b></p>
+<td >
+<b>Real-time protection is disabled.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>Windows Defender AV real-time protection scanning for malware and other potentially unwanted software was disabled. </p>
+<td >
+Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. 
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 5004</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5004</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The real-time protection configuration changed.
-</b></p>
+<td >
+<b>The real-time protection configuration changed.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV real-time protection feature configuration has changed.</p>
+<td >
+Windows Defender Real-time Protection feature configuration has changed.
 <dl>
 <dt>Feature: &lt;Feature&gt;, for example:
 <ul>
@@ -2411,67 +2377,65 @@ Description of the error. </dt>
 </dt>
 <dt>Configuration: </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 5007</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5007</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_CONFIG_CHANGED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_CONFIG_CHANGED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform configuration changed.</b></p>
+<td >
+<b>The antimalware platform configuration changed.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.</p>
+<td >
+Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
 <dl>
 <dt>Old value: &lt;Old value number&gt;
-Old Windows Defender AV configuration value.</dt>
+Old Windows Defender configuration value.</dt>
 <dt>New value: &lt;New value number&gt;
-New Windows Defender AV configuration value.</dt>
+New Windows Defender configuration value.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="5"><b>Event ID: 5008</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5008</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_FAILURE</b></p>
+<td >
+<b>MALWAREPROTECTION_ENGINE_FAILURE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine encountered an error and failed.</b></p>
+<td >
+<b>The antimalware engine encountered an error and failed.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV  engine has been terminated due to an unexpected error.</p>
+<td >
+Windows Defender  engine has been terminated due to an unexpected error.
 <dl>
 <dt>Failure Type: &lt;Failure type&gt;, for example:
 Crash
@@ -2479,191 +2443,206 @@ or Hang</dt>
 <dt>Exception Code: &lt;Error code&gt;</dt>
 <dt>Resource: &lt;Resource&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>To troubleshoot this event:<ol>
-<li>Try to restart the service:<ul>
+<td >
+To troubleshoot this event:<ol>
+<li>Try to restart the service.<ul>
 <li>For antimalware, antivirus and spyware, at an elevated command prompt, type <b>net stop msmpsvc</b>, and then type <b>net start msmpsvc</b> to restart the antimalware engine.</li>
 <li>For the <i>Network Inspection System</i>, at an elevated command prompt, type <b>net start nissrv</b>, and then type <b>net start nissrv</b> to restart the <i>Network Inspection System</i> engine by using the NiSSRV.exe file.
 </li>
 </ul>
 </li>
-<li>Run the scan again.</li>
 <li>If it fails in the same way, look up the error code by accessing the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support Site</a>  and entering the error number in the <b>Search</b> box, and contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.</li>
 </ol>
-</p>
-</td>
-</tr>
-<tr>
-<td valign="top" rowspan="3"><b>Event ID: 5009</b></td>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTISPYWARE_ENABLED
-</b></p>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+User action:
 </td>
-<td colspan="2">
-<p><b>Scanning for malware and other potentially unwanted software is enabled.
-</b></p>
+<td >
+The Windows Defender client engine stopped due to an unexpected error.
+To troubleshoot this event:
+<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5009</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_ANTISPYWARE_ENABLED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Message:
 </td>
-<td colspan="2">
-<p>Windows Defender AV scanning for malware and other potentially unwanted software has been enabled.</p>
-</td>
-</tr>
-<tr>
-<td valign="top" rowspan="3"><b>Event ID: 5010</b></td>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTISPYWARE_DISABLED
-</b></p>
+<td >
+<b>Scanning for malware and other potentially unwanted software is enabled.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Description:
 </td>
-<td colspan="2">
-<p><b>Scanning for malware and other potentially unwanted software is disabled.</b></p>
+<td >
+Windows Defender scanning for malware and other potentially unwanted software has been enabled.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5010</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_ANTISPYWARE_DISABLED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Message:
 </td>
-<td colspan="2">
-<p>Windows Defender AV scanning for malware and other potentially unwanted software is disabled.</p>
-</td>
-</tr>
-<tr>
-<td valign="top" rowspan="3"><b>Event ID: 5011</b></td>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTIVIRUS_ENABLED</b></p>
+<td >
+<b>Scanning for malware and other potentially unwanted software is disabled.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Description:
 </td>
-<td colspan="2">
-<p><b>Scanning for viruses is enabled.</b></p>
+<td >
+Windows Defender scanning for malware and other potentially unwanted software is disabled.
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5011</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_ANTIVIRUS_ENABLED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Message:
 </td>
-<td colspan="2">
-<p>Windows Defender AV scanning for viruses has been enabled. </p>
-</td>
-</tr>
-<tr>
-<td valign="top" rowspan="3"><b>Event ID: 5012</b></td>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTIVIRUS_DISABLED
-</b></p>
+<td >
+<b>Scanning for viruses is enabled.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Description:
 </td>
-<td colspan="2">
-<p><b>Scanning for viruses is disabled.
-</b></p>
+<td >
+Windows Defender scanning for viruses has been enabled. 
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5012</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_ANTIVIRUS_DISABLED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Message:
 </td>
-<td colspan="2">
-<p>Windows Defender AV scanning for viruses is disabled. </p>
-</td>
-</tr>
-<tr>
-<td valign="top" rowspan="3"><b>Event ID: 5100</b></td>
-<td>
-<p>Symbolic name:</p>
-</td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_EXPIRATION_WARNING_STATE
-</b></p>
+<td >
+<b>Scanning for viruses is disabled.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Description:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform will expire soon.
-</b></p>
+<td >
+Windows Defender scanning for viruses is disabled. 
+</td>
+</tr>
+<tr>
+<th colspan="2">Event ID: 5100</th>
+</tr>
+<tr><td>
+Symbolic name:
+</td>
+<td >
+<b>MALWAREPROTECTION_EXPIRATION_WARNING_STATE
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Message:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV  has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.</p>
+<td >
+<b>The antimalware platform will expire soon.
+</b>
+</td>
+</tr>
+<tr>
+<td>
+Description:
+</td>
+<td >
+Windows Defender  has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
 <dl>
-<dt>Expiration Reason: The reason Windows Defender AV will expire.</dt>
-<dt>Expiration Date: The date Windows Defender AV will expire.</dt>
+<dt>Expiration Reason: The reason Windows Defender will expire.</dt>
+<dt>Expiration Date: The date Windows Defender will expire.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="3"><b>Event ID: 5101</b></td>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5101</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_DISABLED_EXPIRED_STATE
-</b></p>
+<td >
+<b>MALWAREPROTECTION_DISABLED_EXPIRED_STATE
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform is expired.
-</b></p>
+<td >
+<b>The antimalware platform is expired.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description::</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender AV  grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.</p>
+<td >
+Windows Defender  grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
 <dl>
 <dt>Expiration Reason:</dt>
 <dt>Expiration Date: </dt>
@@ -2672,625 +2651,546 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 </table>
 
 <a id="error-codes"></a>
-## Windows Defender Antivirus client error codes
-If Windows Defender AV experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
-This section provides the following information about Windows Defender AV client errors.
+## Windows Defender client error codes
+If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
+This section provides the following information about Windows Defender Antivirus client errors.
 -   The error code
 -   The possible reason for the error
 -   Advice on what to do now
 
-Use the information in these tables to help troubleshoot Windows Defender AV error codes.  
-  
-### External error codes
+Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
 
-<table>
+
+ <table class="oridealign"> 
 <tr>
-<th>Error code</th>
-<th>Message displayed</th>
-<th>Possible reason for error</th>
+<th colspan="2">Error code: 0x80508007</th>
+</tr>
+<tr>
+<td>Message</td>
+<td>
+<b>ERR_MP_NO_MEMORY </b>
+</td>
 </tr>
 <tr>
 <td>
-<p>0x80508007 
-</p>
+Possible reason
 </td>
 <td>
-<p><b>ERR_MP_NO_MEMORY 
-</b></p>
+This error indicates that you might have run out of memory. 
 </td>
+</tr>
+<tr>
+<td>Resolution</td>
 <td>
-<p>This error indicates that you might have run out of memory. 
-</p>
-<p><b>What to do now</b></p>
-<p>
 <ol>
 <li>Check the available memory on your device.</li>
 <li>Close any unused applications that are running to free up memory on your device.</li>
 <li>Restart the device and run the scan again. 
 </li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x8050800C</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_BAD_INPUT_DATA</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x8050800C</p>
+This error indicates that there might be a problem with your security product.
 </td>
-<td>
-<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
-</td>
-<td>
-<p>This error indicates that there might be a problem with your security product.</p>
-<p><b>What to do now</b></p>
-<p>
+</tr><tr><td>Resolution</td><td>
 <ol>
-<li>[Update the definitions](manage-updates-baselines-windows-defender-antivirus.md).</li>
-<li>Run a full scan.</li>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/>Or,
+</li>
+<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.
+</li>
+</ol>
+</li>
+<li>Run a full scan.
+</li>
 <li>Restart the device and try again.</li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508020</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_BAD_CONFIGURATION 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508020</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_CONFIGURATION 
-</b></p>
-</td>
-<td>
-<p>This error indicates that there might be an engine configuration error; commonly, this is related to input 
+This error indicates that there might be an engine configuration error; commonly, this is related to input 
 data that does not allow the engine to function properly. 
-</p>
-<p><b>What to do now</b></p>
-<p>
-<ol>
-<li>[Update the definitions](manage-updates-baselines-windows-defender-antivirus.md).</li>
-<li>Run a full scan.</li>
-<li>Restart the device and try again.</li>
-</ol>
-</p>
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x805080211 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_QUARANTINE_FAILED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x805080211 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_QUARANTINE_FAILED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that Windows Defender AV failed to quarantine a threat. 
-</p>
-<p><b>What to do now</b></p>
-<p>
-<ol>
-<li>[Update the definitions](manage-updates-baselines-windows-defender-antivirus.md).</li>
-<li>Run a full scan.</li>
-<li>Restart the device and try again.</li>
-</ol>
-</p>
+This error indicates that Windows Defender failed to quarantine a threat. 
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508022 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_REBOOT_REQUIRED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508022 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_REBOOT_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that a reboot is required to complete threat removal. 
-</p>
-<p><b>What to do now</b></p>
-<p>
-<ol>
-<li>[Update the definitions](manage-updates-baselines-windows-defender-antivirus.md).</li>
-<li>Run a full scan.</li>
-<li>Restart the device and try again.</li>
-</ol>
-</p>
+This error indicates that a reboot is required to complete threat removal. 
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="2">
-<p>0x80508023 
-</p>
+<th colspan="2">
+0x80508023 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_THREAT_NOT_FOUND 
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. 
+</tr><tr><td>Resolution
 </td>
 <td>
-<p><b>ERR_MP_THREAT_NOT_FOUND 
-</b></p>
-</td>
-<td>
-<p>This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. 
-</p>
-<p><b>What to do now</b></p>
-<p>Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again. 
-</p>
+Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again. 
 </td>
 </tr>
 <tr>
-<td valign="top" rowspan="2">
-<p><b>ERR_MP_FULL_SCAN_REQUIRED 
-</b></p>
-</td>
-<td valign="top" rowspan="2">
-<p>This error indicates that a full system scan might be required. 
-</p>
-<p><b>What to do now</b></p>
-<p>Run a full system scan. 
-</p>
+<th colspan="2">Error code: 0x80508024 </th></tr>
+<tr>
+<td>Message</td>
+<td><b>ERR_MP_FULL_SCAN_REQUIRED 
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that a full system scan might be required. 
+</td></tr>
+<tr>
+<td>Resolution</td><td>
+Run a full system scan. 
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508025 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_MANUAL_STEPS_REQUIRED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508024 
-</p>
+This error indicates that manual steps are required to complete threat removal. 
+</td></tr><tr><td>Resolution</td><td>
+Follow the manual remediation steps outlined in the <a href="https://www.microsoft.com/security/portal/threat/Threats.aspx">Microsoft Malware Protection Encyclopedia</a>. You can find a threat-specific link in the event history.  
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508026 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_REMOVE_NOT_SUPPORTED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508025 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_MANUAL_STEPS_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that manual steps are required to complete threat removal. 
-</p>
-<p><b>What to do now</b></p>
-<p>Follow the manual remediation steps outlined in the <a href="https://www.microsoft.com/security/portal/threat/Threats.aspx">Microsoft Malware Protection Encyclopedia</a>. You can find a threat-specific link in the event history.  
-</p>
+This error indicates that removal inside the container type might not be not supported. 
+</td></tr><tr><td>Resolution</td><td>
+Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources. 
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508027 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508026 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_REMOVE_NOT_SUPPORTED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that removal inside the container type might not be not supported. 
-</p>
-<p><b>What to do now</b></p>
-<p>Windows Defender AV is not able to remediate threats detected inside the archive. Consider manually removing the detected resources. 
-</p>
+This error indicates that removal of low and medium threats might be disabled. 
+</td></tr><tr><td>Resolution</td><td>
+Check the detected threats and resolve them as required. 
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508029 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERROR_MP_RESCAN_REQUIRED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508027 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that removal of low and medium threats might be disabled. 
-</p>
-<p><b>What to do now</b></p>
-<p>Check the detected threats and resolve them as required. 
-</p>
+This error indicates a rescan of the threat is required. 
+</td></tr><tr><td>Resolution</td><td>
+Run a full system scan. 
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508030 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERROR_MP_CALLISTO_REQUIRED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508029 
-</p>
-</td>
-<td>
-<p><b>ERROR_MP_RESCAN_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates a rescan of the threat is required. 
-</p>
-<p><b>What to do now</b></p>
-<p>Run a full system scan. 
-</p>
+This error indicates that an offline scan is required. 
+</td></tr><tr><td>Resolution</td><td>
+Run Windows Defender Offline. You can read about how to do this in the <a href="http://windows.microsoft.com/windows/what-is-windows-defender-offline">Windows Defender Offline 
+article</a>.
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508031 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERROR_MP_PLATFORM_OUTDATED  
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508030 
-</p>
-</td>
-<td>
-<p><b>ERROR_MP_CALLISTO_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that an offline scan is required. 
-</p>
-<p><b>What to do now</b></p>
-<p>Run [Windows Defender Offline](windows-defender-offline.md).</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508031 
-</p>
-</td>
-<td>
-<p><b>ERROR_MP_PLATFORM_OUTDATED  
-</b></p>
-</td>
-<td>
-<p>This error indicates that Windows Defender AV does not support the current version of the platform and requires a new version of the platform. 
-</p>
-<p><b>What to do now</b></p>
-<p>You can only use Windows Defender AV in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.  
-</p>
+This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. 
+</td></tr><tr><td>Resolution</td><td>
+You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.  
 </td>
 </tr>
 </table>
 
-### Internal error codes
+<a id="internal-error-codes"></a>
+The following error codes are used during internal testing of Windows Defender AV.
 
-The following error codes are used during internal testing of Windows Defender AV.  
+If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
 
-<table>
+
+<table class="oridealign"> 
 <tr>
-<th>Error code</th>
+<th colspan="3">Internal error codes</th>
+</tr>
+<tr>
+<th><b>Error code</b></th>
 <th>Message displayed</th>
-<th>Possible reason for error</th>
+<th>Possible reason for error and resolution</th>
 </tr>
 <tr>
 <td>
-<p>0x80501004</p>
+0x80501004
 </td>
 <td>
-<p><b>ERROR_MP_NO_INTERNET_CONN 
-</b></p>
+<b>ERROR_MP_NO_INTERNET_CONN 
+</b>
 </td>
 <td>
-<p>Windows Defender AV can't access the Internet.</p>
-<p><b>What to do now</b></p>
-<p>Check your Internet connection, then run the scan again.</p>
+Check your Internet connection, then run the scan again.
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501000</p>
+0x80501000
 </td>
 <td>
-<p><b>ERROR_MP_UI_CONSOLIDATION_BAS</b>E</p>
+<b>ERROR_MP_UI_CONSOLIDATION_BAS</b>E
 </td>
-<td valign="top" rowspan="34">
-<p>This is an internal error. The cause is not clearly defined.</p>
-<p><b>What to do now</b></p>
-<p>
-<ol>
-<li>[Update the definitions](manage-updates-baselines-windows-defender-antivirus.md).</li>
-<li>Run a full scan.</li>
-<li>Restart the device and try again.</li>
-</ol>
-</p>
+<td rowspan="34">
+This is an internal error. The cause is not clearly defined.
+</td>
+<td rowspan="36">
+
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501001</p>
+0x80501001
 </td>
 <td>
-<p><b>ERROR_MP_ACTIONS_FAILED</b></p>
+<b>ERROR_MP_ACTIONS_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501002</p>
+0x80501002
 </td>
 <td>
-<p><b>ERROR_MP_NOENGINE</b></p>
+<b>ERROR_MP_NOENGINE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501003</p>
+0x80501003
 </td>
 <td>
-<p><b>ERROR_MP_ACTIVE_THREATS</b></p>
+<b>ERROR_MP_ACTIVE_THREATS</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x805011011</p>
+0x805011011
 </td>
 <td>
-<p><b>MP_ERROR_CODE_LUA_CANCELLED </b></p>
+<b>MP_ERROR_CODE_LUA_CANCELLED </b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501101</p>
+0x80501101
 </td>
 <td>
-<p><b>ERROR_LUA_CANCELLATION </b></p>
+<b>ERROR_LUA_CANCELLATION </b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501102</p>
+0x80501102
 </td>
 <td>
-<p><b>MP_ERROR_CODE_ALREADY_SHUTDOWN</b></p>
+<b>MP_ERROR_CODE_ALREADY_SHUTDOWN</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501103</p>
+0x80501103
 </td>
 <td>
-<p><b>MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING </b></p>
+<b>MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING </b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501104</p>
+0x80501104
 </td>
 <td>
-<p><b>MP_ERROR_CODE_CANCELLED</b></p>
+<b>MP_ERROR_CODE_CANCELLED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501105</p>
+0x80501105
 </td>
 <td>
-<p><b>MP_ERROR_CODE_NO_TARGETOS</b></p>
+<b>MP_ERROR_CODE_NO_TARGETOS</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501106</p>
+0x80501106
 </td>
 <td>
-<p><b>MP_ERROR_CODE_BAD_REGEXP</b></p>
+<b>MP_ERROR_CODE_BAD_REGEXP</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501107</p>
+0x80501107
 </td>
 <td>
-<p><b>MP_ERROR_TEST_INDUCED_ERROR</b></p>
+<b>MP_ERROR_TEST_INDUCED_ERROR</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501108</p>
+0x80501108
 </td>
 <td>
-<p><b>MP_ERROR_SIG_BACKUP_DISABLED</b></p>
+<b>MP_ERROR_SIG_BACKUP_DISABLED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508001</p>
+0x80508001
 </td>
 <td>
-<p><b>ERR_MP_BAD_INIT_MODULES</b></p>
+<b>ERR_MP_BAD_INIT_MODULES</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508002</p>
+0x80508002
 </td>
 <td>
-<p><b>ERR_MP_BAD_DATABASE</b></p>
+<b>ERR_MP_BAD_DATABASE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508004</p>
+0x80508004
 </td>
 <td>
-<p><b>ERR_MP_BAD_UFS </b></p>
+<b>ERR_MP_BAD_UFS </b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050800C</p>
+0x8050800C
 </td>
 <td>
-<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
+<b>ERR_MP_BAD_INPUT_DATA</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050800D</p>
+0x8050800D
 </td>
 <td>
-<p><b>ERR_MP_BAD_GLOBAL_STORAGE</b></p>
+<b>ERR_MP_BAD_GLOBAL_STORAGE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050800E</p>
+0x8050800E
 </td>
 <td>
-<p><b>ERR_MP_OBSOLETE</b></p>
+<b>ERR_MP_OBSOLETE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050800F</p>
+0x8050800F
 </td>
 <td>
-<p><b>ERR_MP_NOT_SUPPORTED</b></p>
+<b>ERR_MP_NOT_SUPPORTED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050800F
+0x8050800F
 0x80508010
-</p>
 </td>
 <td>
-<p><b>ERR_MP_NO_MORE_ITEMS </b></p>
+<b>ERR_MP_NO_MORE_ITEMS </b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508011</p>
+0x80508011
 </td>
 <td>
-<p><b>ERR_MP_DUPLICATE_SCANID</b></p>
+<b>ERR_MP_DUPLICATE_SCANID</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508012</p>
+0x80508012
 </td>
 <td>
-<p><b>ERR_MP_BAD_SCANID</b></p>
+<b>ERR_MP_BAD_SCANID</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508013</p>
+0x80508013
 </td>
 <td>
-<p><b>ERR_MP_BAD_USERDB_VERSION</b></p>
+<b>ERR_MP_BAD_USERDB_VERSION</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508014</p>
+0x80508014
 </td>
 <td>
-<p><b>ERR_MP_RESTORE_FAILED</b></p>
+<b>ERR_MP_RESTORE_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508016</p>
+0x80508016
 </td>
 <td>
-<p><b>ERR_MP_BAD_ACTION</b></p>
+<b>ERR_MP_BAD_ACTION</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508019</p>
+0x80508019
 </td>
 <td>
-<p><b>ERR_MP_NOT_FOUND</b></p>
+<b>ERR_MP_NOT_FOUND</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80509001</p>
+0x80509001
 </td>
 <td>
-<p><b>ERR_RELO_BAD_EHANDLE</b></p>
+<b>ERR_RELO_BAD_EHANDLE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80509003</p>
+0x80509003
 </td>
 <td>
-<p><b>ERR_RELO_KERNEL_NOT_LOADED</b></p>
+<b>ERR_RELO_KERNEL_NOT_LOADED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050A001</p>
+0x8050A001
 </td>
 <td>
-<p><b>ERR_MP_BADDB_OPEN</b></p>
+<b>ERR_MP_BADDB_OPEN</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050A002</p>
+0x8050A002
 </td>
 <td>
-<p><b>ERR_MP_BADDB_HEADER</b></p>
+<b>ERR_MP_BADDB_HEADER</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050A003</p>
+0x8050A003
 </td>
 <td>
-<p><b>ERR_MP_BADDB_OLDENGINE</b></p>
+<b>ERR_MP_BADDB_OLDENGINE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050A004</p>
+0x8050A004
 </td>
 <td>
-<p><b>ERR_MP_BADDB_CONTENT </b></p>
+<b>ERR_MP_BADDB_CONTENT </b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050A005</p>
+0x8050A005
 </td>
 <td>
-<p><b>ERR_MP_BADDB_NOTSIGNED</b></p>
+<b>ERR_MP_BADDB_NOTSIGNED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050801</p>
+0x8050801
 </td>
 <td>
-<p><b>ERR_MP_REMOVE_FAILED</b></p>
+<b>ERR_MP_REMOVE_FAILED</b>
 </td>
 <td>
-<p>This is an internal error. It might be triggered when malware removal is not successful. 
-</p>
-<p><b>What to do now</b></p>
-<p>
-<ol>
-<li>[Update the definitions](manage-updates-baselines-windows-defender-antivirus.md).</li>
-<li>Run a full scan.</li>
-<li>Restart the device and try again.</li>
-</ol>
-</p>
+This is an internal error. It might be triggered when malware removal is not successful. 
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508018 
-</p>
+0x80508018 
 </td>
 <td>
-<p><b>ERR_MP_SCAN_ABORTED 
-</b></p>
+<b>ERR_MP_SCAN_ABORTED 
+</b>
 </td>
 <td>
-<p>This is an internal error. It might have triggered when a scan fails to complete. 
-</p>
-<p><b>What to do now</b></p>
-<p>
-<ol>
-<li>[Update the definitions](manage-updates-baselines-windows-defender-antivirus.md).</li>
-<li>Run a full scan.</li>
-<li>Restart the device and try again.</li>
-</ol>
-</p>
+This is an internal error. It might have triggered when a scan fails to complete. 
 </td>
 </tr>
 </table>
diff --git a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
index 661ce72277..55a97e770f 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Use Group Policy settings to configure and manage Windows Defender AV
@@ -82,7 +84,7 @@ Reporting | Configure time out for detections in non-critical failed state | Not
 Reporting | Configure time out for detections in recently remediated state | Not used
 Reporting | Configure time out for detections requiring additional action | Not used
 Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-Root | Turn off Windows Defender Antivirus | Not used
+Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
 Root | Define addresses to bypass proxy server | Not used
 Root | Define proxy auto-config (.pac) for connecting to the network | Not used
 Root | Define proxy server for connecting to the network | Not used
diff --git a/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
index d7904ec127..914d50f8b3 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
diff --git a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index ae1135c98c..6a3cb8e8bd 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Use PowerShell cmdlets to configure and manage Windows Defender AV
diff --git a/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
index 39b5a2ad99..e009932162 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
diff --git a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 354b545edb..6a6267b89a 100644
--- a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 6bef064955..84504a1aae 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index d331e9d39e..2f90715cf9 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -1,6 +1,6 @@
 ---
 title: Windows Defender Antivirus
-description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10.
+description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
 keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -8,20 +8,23 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
-# Windows Defender Antivirus in Windows 10
+# Windows Defender Antivirus in Windows 10 and Windows Server 2016
 
 **Applies to**
 -   Windows 10
+-   Windows Server 2016
 
 Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
 
 This library of documentation is aimed for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.
 
-For more important information about running Windows Defender AV on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx).
+For more important information about running Windows Defender on a server platform, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md).
 
 Windows Defender AV can be managed with:
 - System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) 
@@ -57,14 +60,14 @@ See the [In this library](#in-this-library) list at the end of this topic for li
 <a id="sysreq"></a>
 ## Minimum system requirements
 
-Windows Defender has the same hardware requirements as Windows 10. For more information, see:
+Windows Defender AV has the same hardware requirements as Windows 10. For more information, see:
 -   [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
 -   [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
 
 
 Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic.
 
-Functionality, configuration, and management is largely the same when using Windows Defender Antivirus on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
+Functionality, configuration, and management is largely the same when using Windows Defender AV on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
 
 
 
@@ -73,10 +76,13 @@ Functionality, configuration, and management is largely the same when using Wind
 
 Topic | Description
 :---|:---
-[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script
-[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
-[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
+[Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) | The Windows Defender Security Center combines the settings and notifications from the previous Windows Defender AV app and Windows Settings in one easy-to-manage place
+[Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) | Windows Defender AV can be used on Windows Server 2016, and features the same configuration and management capabilities as the Windows 10 version - with some added features for automatic exclusions
+[Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md) | Windows Defender AV operates in different modes depending on whether it detects other AV products or if you are using Windows Defender Advanced Threat Protection
+[Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script
+[Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
+[Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
 [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues
+[Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues
 [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here
 
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index b3305b6b1c..91520bc734 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -1,6 +1,6 @@
 ---
 title: Windows Defender Antivirus on Windows Server 2016
-description: Compare the differences when Windows Defender AV is on a Windows Server SKU versus a Windows 10 endpoint
+description: Enable and configure Windows Defender AV on Windows Server 2016 
 keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -8,12 +8,14 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 
-# Windows Defender Antivirus on Windows Server
+# Windows Defender Antivirus on Windows Server 2016
 
 
 **Applies to:**
@@ -36,15 +38,124 @@ author: iaanw
 
 Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
 
-See the [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
-
 While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
 
 - In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
 - In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.
 
+This topic includes the following instructions for setting up and running Windows Defender AV on a server platform:
+
+-   [Enable the interface](#BKMK_UsingDef)
+
+-   [Verify Windows Defender AV is running](#BKMK_DefRun)
+
+-   [Update antimalware definitions](#BKMK_UpdateDef)
+
+-   [Submit Samples](#BKMK_DefSamples)
+
+-   [Configure automatic exclusions](#BKMK_DefExclusions)
+
+<a name="BKMK_UsingDef"></a>
+## Enable the interface
+By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs. 
+
+You can enable or disable the interface by using the **Add Roles and Features Wizard** or PowerShellCmdlets, as described in the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic.
+
+The following PowerShell cmdlet will enable the interface: 
+
+```PowerShell
+Install-WindowsFeature -Name Windows-Defender-GUI
+```
+
+The following cmdlet will disable the interface:
+
+```PS
+Uninstall-WindowsFeature -Name Windows-Server-Antimalware
+```
+
+> [!TIP]
+> Event messages for the antimalware engine included with Windows Defender AV can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md).
+
+
+<a name="BKMK_DefRun"></a>
+## Verify Windows Defender is running
+To verify that Windows Defender AV is running on the server, run the following command from a command prompt: 
+
+```DOS
+sc query Windefend
+```
+
+The `sc query` command returns information about the Windows Defender service. If Windows Defender is running, the `STATE` value displays `RUNNING`.
+
+<a name="BKMK_UpdateDef"></a>
+## Update antimalware definitions
+In order to get updated antimalware definitions, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender AV definitions are approved for the computers you manage.
+
+By default, Windows Update does not download and install updates automatically on Windows Server 2016. You can change this configuration by using one of the following methods:
+
+-   **Windows Update** in Control Panel.
+
+    -   **Install updates automatically** results in all updates being automatically installed, including Windows Defender definition updates.
+
+    -   **Download updates but let me choose whether to install them** allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed.
+
+-   **Group Policy**. You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates**
+
+-   The **AUOptions** registry key. The following two values allow Windows Update to automatically download and install definition updates.
+
+    -   **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender definition updates.
+
+    -   **3** Download updates but let me choose whether to install them.  This value allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed.
+
+To ensure that protection from malware is maintained, we recommend that you enable the following services:
+
+-   Windows Defender Network Inspection service
+
+-   Windows Error Reporting service
+
+-   Windows Update service
+
+The following table lists the services for Windows Defender and the dependent services.
+
+|Service Name|File Location|Description|
+|--------|---------|--------|
+|Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.|
+|Windows Defender Network Inspection Service (Wdnissvc)|C:\Program Files\Windows Defender\NisSrv.exe|This service is invoked when Windows Defender Antivirus encounters a trigger to load it.|
+|Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.|
+|Windows Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Firewall service enabled.|
+|Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get definition updates and antimalware engine updates|
+
+
+
+<a name="BKMK_DefSamples"></a>
+## Submit Samples
+Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware definitions.
+
+We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
+
+### Enable automatic sample submission
+
+-   To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings:
+
+    -   **0** Always prompt. The Windows Defender service prompts you to confirm submission of all required files. This is the default setting for Windows Defender, but is not recommended for Windows Server 2016 installations without a GUI.
+
+    -   **1** Send safe samples automatically. The Windows Defender service sends all files marked as "safe" and prompts for the remainder of the files.
+
+    -   **2** Never send. The Windows Defender service does not prompt and does not send any files.
+
+    -   **3** Send all samples automatically. The Windows Defender service sends all files without a prompt for confirmation.
+
+<a name="BKMK_DefExclusions"></a>
+## Configure automatic exclusions
+To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender AV on Server 2016.
+
+See the [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) topic for more information. 
+
+
 
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
\ No newline at end of file
+- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) 
+
+
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index af07823d3a..3168581911 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Run and review the results of a Windows Defender Offline scan
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 2a053cc803..dc8b0b0597 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 
@@ -44,7 +46,7 @@ Settings that were previously part of the Windows Defender client and main Windo
 >This will significantly lower the protection of your device and could lead to malware infection.
 
 
-See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
+See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
 
 >[!NOTE]
 >The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
diff --git a/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
new file mode 100644
index 0000000000..5221675063
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@@ -0,0 +1,46 @@
+---
+title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10)
+description: Learn about the available Group Policy settings for Windows Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+localizationpriority: high
+---
+
+# Configure Windows Defender Application Guard policy settings
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
+
+Application Guard uses both network isolation and application-specific settings.
+
+### Network isolation settings
+These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
+
+>[!NOTE]
+>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode.
+
+
+|Policy name|Supported versions|Description|
+|-----------|------------------|-----------|
+|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+
+### Application-specific settings
+These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard.
+
+|Name|Supported versions|Description|Options|
+|-----------|------------------|-----------|-------|
+|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
+|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
+|Turn On/Off Windows Defender Application Guard (WDAG)|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
+
diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
new file mode 100644
index 0000000000..78a7228f40
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@@ -0,0 +1,44 @@
+---
+title: Frequently asked questions - Windows Defender Application Guard (Windows 10)
+description: Learn about the commonly asked questions and answers for Windows Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+localizationpriority: high
+---
+
+# Frequently asked questions - Windows Defender Application Guard 
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
+
+## Frequently Asked Questions
+
+| | |
+|---|----------------------------|
+|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?|
+|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
+<br>
+
+| | |
+|---|----------------------------|
+|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?|
+|**A:** |Depending on your organization's settings, employees can copy and paste images and text (.bmp) to and from the isolated container.|
+<br>
+
+| | |
+|---|----------------------------|
+|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?|
+|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.|
+<br>
+
+| | |
+|---|----------------------------|
+|**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?|
+|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.|
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png
new file mode 100644
index 0000000000..6f2bb5afcf
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
new file mode 100644
index 0000000000..f1391f862c
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png
new file mode 100644
index 0000000000..e0bedcd7cd
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png
new file mode 100644
index 0000000000..357be9c65b
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png
new file mode 100644
index 0000000000..25c22912a5
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png
new file mode 100644
index 0000000000..48aa702feb
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png
new file mode 100644
index 0000000000..56acb4be53
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png
new file mode 100644
index 0000000000..c5e7982909
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
new file mode 100644
index 0000000000..01f4eb6359
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png
new file mode 100644
index 0000000000..3fe617b8ed
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png b/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png
new file mode 100644
index 0000000000..a946325c66
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png b/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png
new file mode 100644
index 0000000000..877b707030
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png b/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png
new file mode 100644
index 0000000000..5172022256
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
new file mode 100644
index 0000000000..a93a6519fc
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -0,0 +1,56 @@
+---
+title: Prepare and install Windows Defender Application Guard (Windows 10)
+description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+localizationpriority: high
+---
+
+# Prepare and install Windows Defender Application Guard
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+## Prepare to install Windows Defender Application Guard 
+Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
+
+- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the Application Guard in standalone mode testing scenario. <!--Need link after topic is created-->
+
+- **Enterprise-managed mode.** You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container.
+
+The following diagram shows the flow between the host PC and the isolated container.
+![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png)
+
+## Install Application Guard
+Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
+
+**To install by using the Control Panel**
+1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**.
+
+    ![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png)
+
+2. Select the check box next to **Windows Defender Application Guard** and then click **OK**.
+
+   Application Guard and its underlying dependencies are all installed.
+
+**To install by using PowerShell**
+1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**.
+   
+2. Right-click **Windows PowerShell**, and then click **Run as administrator**.
+
+   Windows PowerShell opens with administrator credentials.
+
+3. Type the following command:
+
+    ```
+    Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
+    ```
+4. Restart the device.
+
+   Application Guard and its underlying dependencies are all installed.
+
diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
new file mode 100644
index 0000000000..c9f657f6f9
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -0,0 +1,39 @@
+---
+title: System requirements for Windows Defender Application Guard (Windows 10)
+description: Learn about the system requirements for installing and running Windows Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+localizationpriority: high
+---
+
+# System requirements for Windows Defender Application Guard
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
+
+## Hardware requirements
+Your environment needs the following hardware to run Application Guard.
+
+|Hardware|Description|
+|--------|-----------|
+|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
+|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
+|Hardware memory|8 GB minimum, 16 GB recommended|
+|Hard disk|5 GB free space, solid state disk (SSD) recommended|
+|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
+
+## Software requirements
+Your environment needs the following hardware to run Application Guard.
+
+|Software|Description|
+|--------|-----------|
+|Operating system|Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)|
+|Browser|Microsoft Edge and Internet Explorer|
+|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
diff --git a/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
new file mode 100644
index 0000000000..152f404382
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
@@ -0,0 +1,159 @@
+---
+title: Testing scenarios using Windows Defender Application Guard in your business or organization (Windows 10)
+description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+localizationpriority: high
+---
+
+# Testing scenarios using Windows Defender Application Guard in your business or organization
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.
+
+## Application Guard in standalone mode
+You can see how an employee would use standalone mode with Application Guard.
+
+**To test Application Guard in Standalone mode**
+
+1.	Download the latest Windows Insider Program build (15257 or later).
+
+2.	Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
+
+3.	Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
+
+    ![New Application Guard window setting option](images/appguard-new-window.png)
+ 
+4.	Wait for Application Guard to set up the isolated environment.
+
+    >[!NOTE]
+    >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. 
+ 
+5. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
+
+    ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
+
+## Application Guard in Enterprise-managed mode 
+How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
+
+### Install, set up, and turn on Application Guard
+Before you can use Application Guard in enterprise mode, you must install a version of Windows 10 that includes the functionality. Then, you must use Group Policy to set up the required settings.
+
+1.	Download the latest Windows Insider Program build (15257 or later).
+
+2.	Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
+
+3.	Restart the device and then start Microsoft Edge.
+
+4.	Set up the Network Isolation settings in Group Policy:
+
+    a.	Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**.
+    
+    b.	Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
+
+    c.	For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box.
+
+    ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png)
+
+    d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
+
+    e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box.
+
+    ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png)
+
+5.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn On/Off Windows Defender Application Guard (WDAG)** setting.
+
+6.	Click **Enabled**.
+
+    ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png)
+
+    >[!NOTE]
+    >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
+
+7. Start Microsoft Edge and type _www.microsoft.com_.
+    
+    After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard.
+
+    ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png)
+
+8.	In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists.
+ 
+    After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
+
+    ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
+
+### Customize Application Guard
+Application Guard lets you specify your configuration, allowing you to create the proper balance between isolation-based security and productivity for your employees.
+
+Application Guard provides the following default behavior for your employees:
+
+- No copying and pasting between the host PC and the isolated container.
+
+- No printing from the isolated container.
+
+- No data persistence from one isolated container to another isolated container.
+
+You have the option to change each of these settings to work with your enterprise from within Group Policy.
+
+**To change the copy and paste options**
+1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
+
+2.	Click **Enabled**.
+ 
+    ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png)
+
+3.	Choose how the clipboard works:
+    
+    - Copy and paste from the isolated session to the host PC
+    
+    - Copy and paste from the host PC to the isolated session
+    
+    - Copy and paste both directions
+
+4.	Choose what can be copied:
+    
+    - **1.** Only text can be copied between the host PC and the isolated container.
+
+    - **2.** Only images can be copied between the host PC and the isolated container.
+
+    - **3.** Both text and images can be copied between the host PC and the isolated container.
+
+5.	Click **OK**.
+
+**To change the print options**
+1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
+
+2.	Click **Enabled**.
+
+    ![Group Policy editor Print options](images/appguard-gp-print.png)
+
+3.	Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
+
+4. Click **OK**.
+
+**To change the data persistence options**
+1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
+
+2.	Click **Enabled**.
+
+    ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png)
+ 
+3.	Open Microsoft Edge and browse to an untrusted, but safe URL.
+
+    The website opens in the isolated session. 
+
+4.	Add the site to your **Favorites** list and then close the isolated session.
+
+5.  Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+
+    The previously added site should still appear in your **Favorites** list.
+
+    >[!NOTE]
+    >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.<br><br>If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br><br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>
diff --git a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
new file mode 100644
index 0000000000..ac7c37e883
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@@ -0,0 +1,47 @@
+---
+title: Windows Defender Application Guard (Windows 10)
+description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+localizationpriority: high
+---
+
+# Windows Defender Application Guard overview
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks.
+ 
+Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. 
+
+
+## What is Application Guard and how does it work?
+Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
+
+If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
+
+![Hardware isolation diagram](images/appguard-hardware-isolation.png)
+
+### What types of devices should use Application Guard?
+Application Guard has been created to target 3 types of enterprise systems:
+
+- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
+
+- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
+
+- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard. |
+|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization. |
+|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
+|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.|
+|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.|
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index 81691de5b0..1c0e90fab7 100644
--- a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -7,9 +7,12 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
+
 # Turn on advanced features in Windows Defender ATP
 
 **Applies to:**
@@ -20,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with.
 
 Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
@@ -31,7 +36,7 @@ If your organization satisfies these conditions, the feature is enabled by defau
 
 ## Show user details
 When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information  when investigating user account entities. You can find user account information in the following views:
-- Dashboard
+- Security operations dashboard
 - Alert queue
 - Machine details page
 
@@ -56,3 +61,4 @@ When you enable this feature, you'll be able to incorporate data from Office 365
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
index 5ae7bf350c..5b05198ca9 100644
--- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # View and organize the Windows Defender Advanced Threat Protection Alerts queue
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on.
 
 Alerts are organized in queues by their workflow status or assignment:
@@ -29,6 +33,7 @@ Alerts are organized in queues by their workflow status or assignment:
 - **In progress**
 - **Resolved**
 - **Assigned to me**
+- **Suppression rules** 
 
 To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
 
@@ -111,13 +116,14 @@ Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together
 ![Alerts queue bulk edit](images/alerts-q-bulk.png)
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
 - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
 - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
-- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
-- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
 - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
 - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
 - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
index 78add1c8f2..2d146c99a0 100644
--- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender ATP alert API fields
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
 
 
@@ -272,7 +276,7 @@ Field numbers match the numbers in the images below.
 
 ![Image of alert details pane with numbers](images/atp-siem-mapping13.png)
 
-![Image of alert timeline with numbers](images/atp-siem-mapping3.png)
+![Image of artifact timeline with numbers](images/atp-siem-mapping3.png)
 
 ![Image of alert timeline with numbers](images/atp-siem-mapping4.png)
 
diff --git a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
index 429ac0c65b..3f9933916f 100644
--- a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Assign user access to the Windows Defender ATP portal
@@ -22,6 +24,8 @@ localizationpriority: high
 - Office 365
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles.
 
 ## Assign user access using Azure PowerShell
diff --git a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
index eba6caa7cc..723ff75a42 100644
--- a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -1,14 +1,16 @@
 ---
 title: Check the health state of the sensor in Windows Defender ATP
 description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data.
-keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communication, communication
+keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Check sensor health state in Windows Defender ATP
@@ -21,6 +23,7 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
 
@@ -48,7 +51,7 @@ You can filter the health state list by the following status:
 - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service.
 - **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues:
   - **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine.
-  - **Impaired communication** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work.
+  - **Impaired communications** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work.
 
 You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon.
 
diff --git a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
index 385a17c7b8..beff40e45f 100644
--- a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure HP ArcSight to pull Windows Defender ATP alerts
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts.
 
 ## Before you begin
diff --git a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 99d2f5b51f..59f69d831e 100644
--- a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure email notifications in Windows Defender ATP
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
 
 > [!NOTE]
@@ -73,3 +77,4 @@ This section lists various issues that you may encounter when using email notifi
 - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 703871c3fd..2d17ac8b25 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure endpoints using Group Policy
@@ -22,13 +24,16 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+
+[!include[Prerelease information](prerelease.md)]
+
 > [!NOTE]
 > To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
 
 ## Onboard endpoints
 1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
-    a.  Click **Endpoint management** on the **Navigation pane**.
+    a.  Click **Endpoint management** > **Clients** on the **Navigation pane**.
 
     b.  Select **Group Policy**, click **Download package** and save the .zip file.
 
@@ -48,6 +53,7 @@ localizationpriority: high
 
 9. Click **OK** and close any open GPMC windows.
 
+
 ## Additional Windows Defender ATP configuration settings
 For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
 
@@ -149,4 +155,5 @@ With Group Policy there isn’t an option to monitor deployment of policies on t
 - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index a17a666708..a1f1d75d60 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure endpoints using Mobile Device Management tools
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
 
 For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
@@ -105,7 +109,7 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V
 
 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
-    a.  Select **Endpoint management** on the **Navigation pane**.
+    a.  Select **Endpoint management** > **Clients** on the **Navigation pane**.
 
     b.  Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
 
@@ -123,30 +127,44 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V
 
   ![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png)
 
-4. Type a name, description and choose **Windows 10 and later** as the Platform and **Windows Defender ATP (Windows 10 Desktop)** as the Profile type.
+6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
 
-  ![Image of naming a policy](images/atp-azure-intune-create-policy-configure.png)
+  ![Image of naming a policy](images/atp-intune-custom.png)
 
 7. Click **Settings** > **Configure**.
 
-  ![Image of settings](images/atp-azure-intune-settings-configure.png)
+  ![Image of settings](images/atp-intune-configure.png)
 
-8. Click the folder icon and select the WindowsDefenderATP.onboarding file you extracted earlier. Configure whether you want to allow sample collection from endpoints for [Deep Analysis](investigate-files-windows-defender-advanced-threat-protection.md) by choosing **All**, or disable this feature by choosing **None**. When complete, click **OK**.
+8. Under Custom OMA-URI Settings, click **Add**.
 
-  ![Image of configuration settings](images/atp-azure-intune-configure.png)
+  ![Image of configuration settings](images/atp-custom-oma-uri.png)
 
-9. Click **Create**.
+9. Enter the following values, then click **OK**.
 
-  ![Image of profile creation](images/atp-azure-intune-create.png)
+  ![Image of profile creation](images/atp-oma-uri-values.png)
 
-10. Search for and select the Group you want to apply the Configuration Policy to, then click **Select**.
+  - **Name**: Type a name for the setting.
+  - **Description**: Type a description for the setting.
+  - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
+  - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
 
-  ![Image of select groups to apply configuration policy](images/atp-azure-intune-select-group.png)
+10. Save the settings by clicking **OK**.
+  
+11. Click **Create**.
 
-11. Click **Save** to finish deploying the Configuration Policy.
+  ![Image of the policy being created](images/atp-intune-create-policy.png)
 
-  ![Image of the policy being saved](images/atp-azure-intune-save-policy.png)
+12. To deploy the Profile, click **Assignments**. 
 
+  ![Image of groups](images/atp-intune-assignments.png)
+
+13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
+
+  ![Image of groups](images/atp-intune-group.png)
+
+14. Click **Save** to finish deploying the Configuration Profile.
+
+  ![Image of deployment](images/atp-intune-save-deployment.png)
 
 ### Offboard and monitor endpoints
 
@@ -188,4 +206,5 @@ Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/W
 - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 1976fb8703..89b06fa326 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure endpoints using System Center Configuration Manager
@@ -22,6 +24,8 @@ localizationpriority: high
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 - System Center 2012 Configuration Manager or later versions
 
+[!include[Prerelease information](prerelease.md)]
+
 <span id="sccm1606"/>
 ## Configure endpoints using System Center Configuration Manager (current branch) version 1606
 System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
@@ -168,4 +172,5 @@ For more information about System Center Configuration Manager Compliance see [C
 - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index 1bde6ab2f6..e2993d8ccb 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure endpoints using a local script
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
 
 > [!NOTE]
@@ -120,4 +124,5 @@ Monitoring can also be done directly on the portal, or by using the different de
 - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
 - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..8d28359a61
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,82 @@
+---
+title: Configure non-persistent virtual desktop infrastructure (VDI) machines
+description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service.
+keywords: configure virtual desktop infrastructure (VDI) machine, vdi, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Configure non-persistent virtual desktop infrastructure (VDI) machines
+
+**Applies to:**
+- Virtual desktop infrastructure (VDI) machines
+
+[!include[Prerelease information](prerelease.md)]
+
+## Onboard non-persistent virtual desktop infrastructure (VDI) machines
+
+Windows Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
+
+
+- Instant early onboarding of a short living session
+    - A session should be onboarded to Windows Defender ATP prior to the actual provisioning.
+
+- Machine name persistence
+    - The machine names are typically reused for new sessions. One may ask to have them as a single machine entry while others may prefer to have multiple entries per machine name.
+
+You can onboard VDI machines using a single entry or multiple entries for each machine. The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries.
+
+1.  Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a.  Click **Endpoint management** > **Clients** on the **Navigation pane**.
+
+    b.  Select **VDI onboarding scripts for non-persistent endpoints** then click **Download package** and save the .zip file.
+
+2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
+
+    >[!NOTE]
+    >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
+
+3. The following step is only applicable if you're implementing a single entry for each machine: <br>
+    **For single entry for each machine**:<br>
+        a. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. <br>
+
+    >[!NOTE]
+    >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
+
+4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
+
+5. Depending on the method you'd like to implement, follow the appropriate steps: <br>
+  **For single entry for each machine**:<br>
+  Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. <br><br>
+  **For multiple entries for each machine**:<br>
+  Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
+
+6. Test your solution:
+
+      a. Create a pool with one machine.
+      b. Logon to machine.
+      c. Logoff from machine.
+      d. Logon to machine with another user.
+      e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.<br>
+    **For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal.
+
+7. Click **Machines list** on the Navigation pane.
+
+8. Use the search function by entering the machine name and select **Machine** as search type.
+
+## Related topics
+- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+
+
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
index 73d4781fa1..8b9d4a256a 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -1,17 +1,19 @@
 ---
-title: Configure Windows Defender ATP endpoints
-description: Configure endpoints so that they can send sensor data to the Windows Defender ATP sensor.
-keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
+title: Configure Windows Defender ATP client endpoints
+description: Configure client endpoints so that they can send sensor data to the Windows Defender ATP sensor.
+keywords: configure client endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
-# Configure Windows Defender ATP endpoints
+# Configure Windows Defender ATP client endpoints
 
 **Applies to:**
 
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Endpoints in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
 
 Windows Defender ATP supports the following deployment tools and methods:
@@ -37,3 +41,4 @@ Topic | Description
 [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints.
 [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Managment tools or Microsoft Intune to deploy the configuration package on endpoints.
 [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints.
+[Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines.
diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index c497229e55..1363cca541 100644
--- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 
@@ -22,6 +24,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 The Windows Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
 
 The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.
@@ -79,10 +83,10 @@ For example: netsh winhttp set proxy 10.0.0.6:8080
 ## Enable access to Windows Defender ATP service URLs in the proxy server
 If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
 
-Primary Domain Controller | .Microsoft.com DNS record
+Service location | .Microsoft.com DNS record
 :---|:---
- US |```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```us.vortex-win.data.microsoft.com```<br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com```
-Europe |```*.blob.core.windows.net```<br>```crl.microsoft.com```<br> ```eu.vortex-win.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br> ```winatp-gw-weu.microsoft.com```<br>
+ US |```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com```<br> ```us.vortex-win.data.microsoft.com```<br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com```
+Europe |```*.blob.core.windows.net```<br>```crl.microsoft.com```<br>```ctldl.windowsupdate.com```<br>  ```eu.vortex-win.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br> ```winatp-gw-weu.microsoft.com```<br>
 
  If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP  sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
 
diff --git a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..f359c9d10b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,87 @@
+---
+title: Configure Windows Defender ATP server endpoints
+description: Configure server endpoints so that they can send sensor data to the Windows Defender ATP sensor.
+keywords: configure server endpoints, server, server onboarding, endpoint management, configure Windows ATP server endpoints, configure Windows Defender Advanced Threat Protection server endpoints
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Configure Windows Defender ATP server endpoints
+
+**Applies to:**
+
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
+
+Windows Defender ATP supports the onboarding of the following servers:
+- Windows Server 2012 R2
+- Windows Server 2016
+
+## Onboard server endpoints
+
+To onboard your servers to Windows Defender ATP, you’ll need to:
+
+- Turn on server monitoring from the Windows Defender Security Center portal.
+- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
+
+
+### Turn on Server monitoring from the Windows Defender Security Center portal
+
+1. In the navigation pane, select **Endpoint management** > **Server management**. 
+
+2. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
+
+    ![Image of server onboarding](images/atp-server-onboarding.png)
+
+
+### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP 
+
+1.	Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
+
+2.	Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
+    - [Manually install the agent using setup](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
+    On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
+    - [Install the agent using the command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). 
+
+3.	You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
+
+Once completed, you should see onboarded servers in the portal within an hour.
+
+### Configure server endpoint proxy and Internet connectivity settings 
+- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
+- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
+
+|    Agent Resource    |    Ports    |
+|------------------------------------|-------------|
+|    *.oms.opinsights.azure.com    |    443    |
+|    *.blob.core.windows.net    |    443    |
+|    *.azure-automation.net    |    443    |
+|    *.ods.opinsights.azure.com    |    443    |
+|    winatp-gw-cus.microsoft.com     |    443    |
+|    winatp-gw-eus.microsoft.com    |    443    |
+|    winatp-gw-neu.microsoft.com    |    443    |
+|    winatp-gw-weu.microsoft.com    |    443    |
+
+
+### Offboard server endpoints 
+To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP.
+For more information, see [To disable an agent](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
+
+>[!NOTE]
+>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
+
+## Related topics
+- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
index 5bd33553ac..c90b025275 100644
--- a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Pull alerts to your SIEM tools
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 ## Pull alerts using supported security information and events management (SIEM) tools
 Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
 
diff --git a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
index 24412f45b9..701451367b 100644
--- a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Configure Splunk to pull Windows Defender ATP alerts
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
 
 ## Before you begin
diff --git a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index c801b3feab..48810c5ae3 100644
--- a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Create custom alerts using the threat intelligence (TI) application program interface (API)
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization.
 
 ## Before you begin
diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
index 07eb913511..333d2f5e83 100644
--- a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: View the Windows Defender Advanced Threat Protection Dashboard
+title: Windows Defender Advanced Threat Protection Security operations dashboard
 description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
 keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
 search.product: eADQiWindows 10XVcnh
@@ -7,11 +7,13 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
-# View the Windows Defender Advanced Threat Protection Dashboard
+# View the Windows Defender Advanced Threat Protection Security operations dashboard
 
 **Applies to:**
 
@@ -21,7 +23,9 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-The **Dashboard** displays a snapshot of:
+[!include[Prerelease information](prerelease.md)]
+
+The **Security operations dashboard** displays a snapshot of:
 
 - The latest active alerts on your network
 - Daily machines reporting
@@ -33,7 +37,7 @@ The **Dashboard** displays a snapshot of:
 
 You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
 
-From the **Dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
+From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
 
 It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview.
 
diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index ad99762845..b10e923513 100644
--- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender ATP data storage and privacy
@@ -21,6 +23,7 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
 > [!NOTE]
diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
index a10edb15c5..e3a3b4ae51 100644
--- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender compatibility
@@ -22,6 +24,8 @@ localizationpriority: high
 - Windows Defender
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning.
 
 If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
diff --git a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
index 588dc98570..32ba05c13a 100644
--- a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Enable the custom threat intelligence API in Windows Defender ATP
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
 
 1. In the navigation pane, select **Preference Setup** > **Threat intel API**.
diff --git a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
index 53cc303fdd..26467de977 100644
--- a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Enable SIEM integration in Windows Defender ATP
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
 
 1. In the navigation pane, select **Preferences setup** > **SIEM integration**.
diff --git a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
index c32cb54316..4200e50e85 100644
--- a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: iaanw
-localizationpriority: high
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 
@@ -23,6 +25,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
 
 For example, if endpoints are not appearing in the **Machines list** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index a74dd4b020..d5eb939076 100644
--- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Experiment with custom threat intelligence (TI) alerts
@@ -21,6 +23,7 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization.  
 
diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..239c463a13
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,100 @@
+---
+title: Use the Windows Defender Advanced Threat Protection exposed APIs  
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Use the Windows Defender ATP exposed APIs 
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+-	Create an app
+-	Get an access token
+-	Run queries on the graph API
+
+### Before you begin
+Before using the APIs, you’ll need to create an app that you’ll use to authenticate against the graph. You’ll need to create a native app to use for the adhoc queries. 
+
+## Create an app
+
+1.	Log on to [Azure](https://portal.azure.com).
+
+2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+
+    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+
+3.	In the Create window, enter the following information then click **Create**.
+
+    ![Image of Create application window](images/atp-azure-create.png)
+
+    - **Name:** WinATPGraph
+    - **Application type:** Native
+    - **Redirect URI:** `https://localhost`
+
+
+4.	Navigate and select the newly created application.
+    ![Image of new app in Azure](images/atp-azure-atp-app.png)
+
+5.	Click **All settings** > **Required permissions** > **Add**.
+
+    ![Image of All settings, then required permissions](images/atp-azure-required-permissions.png)
+
+6.	Click **Select an API** > **Microsoft Graph**, then click **Select**.
+
+    ![Image of API access and API selection](images/atp-azure-api-access.png)
+
+
+7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**.
+
+    ![Image of select permissions](images/atp-azure-select-permissions.png)
+
+You can now use the code snippets in the following sections to query the API using the created app ID.
+
+## Get an access token
+1.	Get the Client ID from the application you created.
+
+2. Use the **Client ID**. For example:
+    ```
+    private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+    private const string resourceId = "https://graph.microsoft.com";
+    private const string clientId = "{YOUR CLIENT ID/APP ID HERE}";
+    private const string redirect = "https://localhost"; 
+    HttpClient client = new HttpClient();
+    AuthenticationContext auth = new AuthenticationContext(authority);
+    var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result;
+    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);
+    ```
+
+## Query the graph
+Once the bearer token is retrieved, you can easily invoke the graph APIs. For example:
+
+```
+client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); 
+// sample endpoint
+string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5";
+HttpResponseMessage response = client.GetAsync(ep).Result;
+string resp = response.Content.ReadAsStringAsync().Result;
+Console.WriteLine($"response for: {ep} \r\n {resp}");
+```
+
+
+## Related topics
+- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..cd1e27c74b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,72 @@
+---
+title: Find machine information by interal IP API
+description: Use this API to create calls related to finding a machine entry around a specific timestamp by FQDN or interal IP.
+keywords: apis, graph api, supported apis, find machine, machine information, IP
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Find machine information by interal IP 
+Find a machine entity around a specific timestamp by FQDN or internal IP.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/machines/find(timestamp={time},key={IP/FQDN})
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK.
+If no machine found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp={time},key={IP/FQDN})
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
+            "computerDnsName": "",
+            "firstSeen": "2017-07-06T01:25:04.9480498Z",
+            "osPlatform": "Windows10",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 8b5493c587..89ede3edae 100644
--- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -1,14 +1,16 @@
 ---
 title: Fix unhealthy sensors in Windows Defender ATP
 description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine.
-keywords: misconfigured, inactive, fix sensor, sensor health,  no sensor data, sensor data, impaired communication, communication
+keywords: misconfigured, inactive, fix sensor, sensor health,  no sensor data, sensor data, impaired communications, communication
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Fix unhealthy sensors in Windows Defender ATP
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured.
 
 ## Inactive machines
@@ -40,13 +44,13 @@ Do you expect a machine to be in ‘Active’ status? [Open a support ticket tic
 
 ## Misconfigured machines
 Misconfigured machines can further be classified to:
-  - Impaired communication
+  - Impaired communications
   - No sensor data
 
-### Impaired communication
+### Impaired communications
 This status indicates that there's limited communication between the machine and the service.
 
-The following suggested actions can help fix issues related to a misconfigured machine with impaired communication:
+The following suggested actions can help fix issues related to a misconfigured machine with impaired communications:
 
 - [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
   The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
diff --git a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
index fa66ca420f..db7f9796a9 100644
--- a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Update general Windows Defender ATP settings
 
@@ -20,6 +22,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu.
 
 1. In the navigation pane, select **Preferences setup** > **General**.
@@ -38,3 +42,4 @@ During the onboarding process, a wizard takes you through the general settings o
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..b5745d86a0
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,67 @@
+---
+title: Get actor information API
+description: Retrieves an actor information report. 
+keywords: apis, graph api, supported apis, get, actor, information
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get actor information 
+Retrieves an actor information report. 
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/actor/{id}/
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and actor exists - 200 OK. 
+If actor does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/actors/zinc
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity",
+    "id": "zinc",
+    "linkToReport": "link-to-pdf"
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..d22c9702da
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,77 @@
+---
+title: Get actor related alerts API
+description: Retrieves all alerts related to a given actor.
+keywords: apis, graph api, supported apis, get, actor, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get actor related alerts 
+Retrieves all alerts related to a given actor.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/actor/{id}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert exists - 200 OK. 
+If actor does not exist or no related alerts - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/actors/zinc/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 3,
+    "value": [
+        {
+            "id": "636390437845006321_-1646055784",
+            "severity": "Medium",
+            "status": "Resolved",
+            "description": "Malware associated with ZINC has been detected.",
+            "recommendedAction": "1.\tContact your incident response team.",
+            "alertCreationTime": "2017-08-23T00:09:43.9057955Z",
+            "category": "Malware",
+            "title": "Malware associated with the activity group ZINC was discovered",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5a3baedc8a
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,73 @@
+---
+title: Get alert information by ID API
+description: Retrieves an alert by its ID.
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert information by ID
+Retrieves an alert by its ID.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert exists - 200 OK.
+If alert not found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts/$entity",
+    "id": "636396039176847743_89954699",
+    "severity": "Informational",
+    "status": "New",
+    "description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs",
+    "recommendedAction": "Collect artifacts and determine scope.",
+    "alertCreationTime": "2017-08-29T11:45:17.5754165Z",
+…
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..8727105bd0
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,69 @@
+---
+title: Get alert related actor information API
+description: Retrieves the actor information related to the specific alert.
+keywords: apis, graph api, supported apis, get, alert, actor, information, related
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert related actor information 
+Retrieves the actor information related to the specific alert.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}/actor
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and actor exist - 200 OK.
+If alert not found or actor not found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/actor
+Content-type: application/json
+
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity",
+    "id": "zinc",
+    "linkToReport": "link-to-pdf"
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..d22d6043a1
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,71 @@
+---
+title: Get alert related domain information 
+description: Retrieves all domains related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related domain
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert related domain information 
+Retrieves all domains related to a specific alert.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}/domains
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and domain exist - 200 OK.
+If alert not found or domain not found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/domains
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains",
+    "value": [
+        {
+            "host": "www.example.com"
+        }
+    ]
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..7020f3ddb1
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,73 @@
+---
+title: Get alert related files information 
+description: Retrieves all files related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related files
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert related files information 
+Retrieves all files related to a specific alert.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}/files
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and files exist - 200 OK.
+If alert not found or files not found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/files
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files",
+    "value": [
+        {
+            "sha1": "121c7060dada38275d7082a4b9dc62641b255c36",
+            "sha256": "c815e0abb8273ba4ea6ca92d430d9e4d065dbb52877a9ce6a8371e5881bd7a94",
+            "md5": "776c970dfd92397b3c7d74401c85cd40",
+            "globalPrevalence": null,
+            "globalFirstObserved": null,
+…
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..83ff265f9a
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,73 @@
+---
+title: Get alert related IP information 
+description: Retrieves all IPs related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related ip
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert related IP information 
+Retrieves all IPs related to a specific alert.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}/ips
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and an IP exist - 200 OK.
+If alert not found or IPs not found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/ips
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips",    
+"value": [
+        {
+            "id": "104.80.104.128"
+        },
+        {
+            "id": "23.203.232.228
+…
+}
+ 
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..1051f8e032
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,68 @@
+---
+title: Get alert related machine information 
+description: Retrieves all machines related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related machine
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert related machine information 
+Retrieves all machines related to a specific alert.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}/machine
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and machine exist - 200 OK.
+If alert not found or machine not found - 404 Not Found.
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/machine
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity",
+    "id": "207575116e44741d2b22b6a81429b3ca4fd34608",
+    "computerDnsName": "machine1-corp.contoso.com",
+    "firstSeen": "2015-12-01T11:31:53.7016691Z",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..008f657eb7
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,71 @@
+---
+title: Get alert related user information 
+description: Retrieves the user associated to a specific alert.
+keywords: apis, graph api, supported apis, get, alert, information, related, user
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alert related user information 
+Retrieves the user associated to a specific alert.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts/{id}/user
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and a user exists - 200 OK.
+If alert not found or user not found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/user
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity",
+    "id": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4\\DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868",
+    "accountSid": null,
+    "accountName": "DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868",
+    "accountDomainName": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4",
+…
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..27cbaabe0a
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,75 @@
+---
+title: Get alerts API
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get alerts 
+Retrieves top recent alerts.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and alerts exists - 200 OK. 
+If no recent alerts found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 5000,
+    "@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/alerts?$skip=5000",
+    "value": [
+        {
+            "id": "636396039176847743_89954699",
+            "severity": "Informational",
+            "status": "New",
+            "description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs",
+            "recommendedAction": "Collect artifacts and determine scope",
+            "alertCreationTime": "2017-08-29T11:45:17.5754165Z",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..4ade44c5d8
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,74 @@
+---
+title: Get domain related alerts API
+description: Retrieves a collection of alerts related to a given domain address.
+keywords: apis, graph api, supported apis, get, domain, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get domain related alerts
+Retrieves a collection of alerts related to a given domain address.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/domains/{id}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain and alert exists - 200 OK.
+If domain or alert does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/domains/{id}/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 9,
+    "value": [
+        {
+            "id": "636396023170943366_-36088267",
+            "severity": "Medium",
+            "status": "New",
+            "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
+            "recommendedAction": "Update AV signatures and run a full scan.",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..630af76023
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,72 @@
+---
+title: Get domain related machines API
+description: Retrieves a collection of machines related to a given domain address.
+keywords: apis, graph api, supported apis, get, domain, related, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get domain related machines
+Retrieves a collection of machines related to a given domain address.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/domains/{id}/machines
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain and machine exists - 200 OK.
+If domain or machines do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "0a3250e0693a109f1affc9217be9459028aa8426",
+            "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
+            "firstSeen": "2017-07-05T08:21:00.0572159Z",
+            "osPlatform": "Windows10",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..168ba45b95
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,69 @@
+---
+title: Get domain statistics API
+description: Retrieves the prevalence for the given domain.
+keywords: apis, graph api, supported apis, get, domain, domain related machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get domain statistics
+Retrieves the prevalence for the given domain.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/domains/{id}/stats
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK.
+If domain does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.graph.InOrgDomainStats",
+    "host": "example.com",
+    "orgPrevalence": "4070",
+    "orgFirstSeen": "2017-07-30T13:23:48Z",
+    "orgLastSeen": "2017-08-29T13:09:05Z"
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..bf5224ea2c
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,70 @@
+---
+title: Get file information API
+description: Retrieves a file by identifier Sha1, Sha256, or MD5.
+keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get file information
+Retrieves a file by identifier Sha1, Sha256, or MD5.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/files/{id}/
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK.
+If file does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/files/{id}
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files/$entity",
+    "sha1": "adae3732709d2178c8895c9be39c445b5e76d587",
+    "sha256": "34fcb083cd01b1bd89fc467fd3c2cd292de92f915a5cb43a36edaed39ce2689a",
+    "md5": "d387a06cd4bf5fcc1b50c3882f41a44e",
+    "globalPrevalence": 40790196,
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..0bc15888fe
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,74 @@
+---
+title: Get file related alerts API
+description: Retrieves a collection of alerts related to a given file hash.
+keywords: apis, graph api, supported apis, get, file, hash
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get file related alerts
+Retrieves a collection of alerts related to a given file hash.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/files/{id}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and file and alert exists - 200 OK.
+If file or alerts do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/files/{id}/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 9,
+    "value": [
+        {
+            "id": "636396023170943366_-36088267",
+            "severity": "Medium",
+            "status": "New",
+            "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
+            "recommendedAction": "Update AV signatures and run a full scan.",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..0dd8cbb37e
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,72 @@
+---
+title: Get file related machines API
+description: Retrieves a collection of machines related to a given file hash.
+keywords: apis, graph api, supported apis, get, machines, hash
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get file related machines 
+Retrieves a collection of machines related to a given file hash.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/files/{id}/machines
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and file and machines exists - 200 OK.
+If file or machines do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "0a3250e0693a109f1affc9217be9459028aa8426",
+            "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
+            "firstSeen": "2017-07-05T08:21:00.0572159Z",
+            "osPlatform": "Windows10",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..cf4bdfb5bb
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,73 @@
+---
+title: Get file statistics API
+description: Retrieves the prevalence for the given file.
+keywords: apis, graph api, supported apis, get, file, statistics
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get file statistics 
+Retrieves the prevalence for the given file.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/files/{id}/stats
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK.
+If file do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
+    "sha1": "adae3732709d2178c8895c9be39c445b5e76d587",
+    "orgPrevalence": "106398",
+    "orgFirstSeen": "2017-07-30T13:29:50Z",
+    "orgLastSeen": "2017-08-29T13:29:31Z",
+    "topFileNames": [
+        "chrome.exe",
+        "old_chrome.exe"
+    ]
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..cc3eaf628c
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,74 @@
+---
+title: Get IP related alerts API
+description: Retrieves a collection of alerts related to a given IP address.
+keywords: apis, graph api, supported apis, get, ip, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get IP related alerts
+Retrieves a collection of alerts related to a given IP address.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/ips/{id}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP and alert exists - 200 OK.
+If IP and alerts do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/ips/{id}/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 9,
+    "value": [
+        {
+            "id": "636396023170943366_-36088267",
+            "severity": "Medium",
+            "status": "New",
+            "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
+            "recommendedAction": "Update AV signatures and run a full scan.",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5a3164c261
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,72 @@
+---
+title: Get IP related machines API
+description: Retrieves a collection of machines related to a given IP address.
+keywords: apis, graph api, supported apis, get, ip, related, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get IP related machines 
+Retrieves a collection of alerts related to a given IP address.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/ips/{id}/machines
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP and machines exists - 200 OK.
+If IP or machines do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "0a3250e0693a109f1affc9217be9459028aa8426",
+            "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
+            "firstSeen": "2017-07-05T08:21:00.0572159Z",
+            "osPlatform": "Windows10",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..077f8220bb
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,69 @@
+---
+title: Get IP statistics API
+description: Retrieves the prevalence for the given IP.
+keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get IP statistics 
+Retrieves the prevalence for the given IP.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/ips/{id}/stats
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP and domain exists - 200 OK.
+If domain does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
+    "ipAddress": "192.168.1.1",
+    "orgPrevalence": "63515",
+    "orgFirstSeen": "2017-07-30T13:36:06Z",
+    "orgLastSeen": "2017-08-29T13:32:59Z"
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..eefe82c97b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,72 @@
+---
+title: Get machine by ID API
+description: Retrieves a machine entity by ID.
+keywords: apis, graph api, supported apis, get, machines, entity, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get machine by ID
+Retrieves a machine entity by ID.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/machines/{id}
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK.
+If no machine found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines/{id}
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity",
+    "id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9",
+    "computerDnsName": "",
+    "firstSeen": "2015-03-15T00:18:20.6588778Z",
+    "osPlatform": "Windows10",
+    "osVersion": "10.0.0.0",
+…
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..837fece398
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,71 @@
+---
+title: Get machine log on users API
+description: Retrieves a collection of logged on users.
+keywords: apis, graph api, supported apis, get, machine, log on, users
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get machine log on users 
+Retrieves a collection of logged on users.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/machines/{id}/logonusers
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine and user exist - 200 OK.
+If no machine found or no users found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines/{id}/logonusers
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+ "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users",
+    "value": [
+        {
+            "id": "m",
+            "accountSid": null,
+            "accountName": "",
+            "accountDomainName": "northamerica",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..0afb16bf58
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,73 @@
+---
+title: Get machine related alerts API
+description: Retrieves a collection of alerts related to a given machine ID.
+keywords: apis, graph api, supported apis, get, machines, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get machine related alerts  
+Retrieves a collection of alerts related to a given machine ID.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/machines/{id}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine and alert exists - 200 OK.
+If no machine or no alerts found - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines/{id}/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 1,
+    "value": [
+        {
+            "id": "636396066728379047_-395412459",
+            "severity": "Medium",
+            "status": "New",
+            "description": "A reverse shell created from PowerShell was detected. A reverse shell allows an attacker to access the compromised machine without authenticating.",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..7674740001
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,76 @@
+---
+title: Get machines API
+description: Retrieves a collection of recently seen machines.
+keywords: apis, graph api, supported apis, get, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get machines 
+Retrieves a collection of recently seen machines.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/machines
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and machines exists - 200 OK.
+If no recent machines - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "@odata.count": 5000,
+    "@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/machines?$skip=5000",
+    "value": [
+        {
+            "id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9",
+            "computerDnsName": "",
+            "firstSeen": "2015-03-15T00:18:20.6588778Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+…
+}
+
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..cf588557dc
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,70 @@
+---
+title: Get user information API
+description: Retrieve a User entity by key such as user name or domain.
+keywords: apis, graph api, supported apis, get, user, user information
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get user information 
+Retrieve a User entity by key (user name or domain\user).
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/users/{id}/
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and user exists - 200 OK.
+If user does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/users/{id}
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity",
+    "id": "",
+    "accountSid": null,
+    "accountName": "",
+    "accountDomainName": "",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..88cc381aaf
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,74 @@
+---
+title: Get user related alerts API
+description: Retrieves a collection of alerts related to a given user ID.
+keywords: apis, graph api, supported apis, get, user, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get user related alerts
+Retrieves a collection of alerts related to a given user ID.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/users/{id}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and user and alert exists - 200 OK.
+If user does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/users/{id}/alerts
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
+    "@odata.count": 9,
+    "value": [
+        {
+            "id": "636396023170943366_-36088267",
+            "severity": "Medium",
+            "status": "New",
+            "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
+            "recommendedAction": "Update AV signatures and run a full scan.",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..46b715810b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,72 @@
+---
+title: Get user related machines API
+description: Retrieves a collection of machines related to a given user ID.
+keywords: apis, graph api, supported apis, get, user, user related alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Get user related machines
+Retrieves a collection of machines related to a given user ID.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/users/{id}/machines
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and user and machine exists - 200 OK.
+If user or machine does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/users/{id}/machines
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "0a3250e0693a109f1affc9217be9459028aa8426",
+            "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
+            "firstSeen": "2017-07-05T08:21:00.0572159Z",
+            "osPlatform": "Windows10",
+…
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png b/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png
new file mode 100644
index 0000000000..3c945c3b8d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png
new file mode 100644
index 0000000000..f195635b73
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png
new file mode 100644
index 0000000000..a29e87f278
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png
new file mode 100644
index 0000000000..080b28974c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png
index ff3c828a38..5f0e1199b6 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png and b/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-action-center.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-action-center.png
new file mode 100644
index 0000000000..90e1f30d77
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-action-center.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png
new file mode 100644
index 0000000000..ce13835ade
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png
new file mode 100644
index 0000000000..df19e86e74
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png
new file mode 100644
index 0000000000..467cb3414e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png
new file mode 100644
index 0000000000..71d61dca5f
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png
new file mode 100644
index 0000000000..5b5116f4dd
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png
new file mode 100644
index 0000000000..88ed4da744
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png
new file mode 100644
index 0000000000..70a29f078a
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actions-run-av.png b/windows/threat-protection/windows-defender-atp/images/atp-actions-run-av.png
new file mode 100644
index 0000000000..79dfdf7756
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actions-run-av.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png b/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png
new file mode 100644
index 0000000000..e46547a2ff
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-add-application.png b/windows/threat-protection/windows-defender-atp/images/atp-add-application.png
new file mode 100644
index 0000000000..38767341f9
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-add-application.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
index f162f21b1b..9745627e88 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-app-restriction.png b/windows/threat-protection/windows-defender-atp/images/atp-app-restriction.png
new file mode 100644
index 0000000000..ae493ad999
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-app-restriction.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-application-information.png b/windows/threat-protection/windows-defender-atp/images/atp-application-information.png
new file mode 100644
index 0000000000..0fa908d66c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-application-information.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png b/windows/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png
new file mode 100644
index 0000000000..d980fc4ed9
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png b/windows/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png
new file mode 100644
index 0000000000..aed05187d6
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png
new file mode 100644
index 0000000000..31a49811ec
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png
new file mode 100644
index 0000000000..2fe20462f2
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png
new file mode 100644
index 0000000000..a222f09880
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png
index 9c41b16d73..7bb3ec3bb5 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png
index 4d1885054b..acf42ec448 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png
new file mode 100644
index 0000000000..effefd5424
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png
new file mode 100644
index 0000000000..ce3d0672a6
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png
new file mode 100644
index 0000000000..5aa454b9c8
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png b/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png
new file mode 100644
index 0000000000..23dcbb397e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png b/windows/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png
new file mode 100644
index 0000000000..d90199bb76
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png b/windows/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png
new file mode 100644
index 0000000000..e56876ff1b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png b/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png
new file mode 100644
index 0000000000..5a04cb5fd5
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png b/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png
new file mode 100644
index 0000000000..614424a2ae
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png
new file mode 100644
index 0000000000..4f738b77ae
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png b/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png
new file mode 100644
index 0000000000..8166caf6ae
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-improv-ops.png b/windows/threat-protection/windows-defender-atp/images/atp-improv-ops.png
new file mode 100644
index 0000000000..3cfe2f682f
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-improv-ops.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png
new file mode 100644
index 0000000000..11c2bf608b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png
new file mode 100644
index 0000000000..90f5b5b557
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png
new file mode 100644
index 0000000000..3e486c0565
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png
new file mode 100644
index 0000000000..c846a207df
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png
new file mode 100644
index 0000000000..345a260612
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png
new file mode 100644
index 0000000000..e71db86d17
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png b/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png
index 4905b60304..d416fcb5ad 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png and b/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png
new file mode 100644
index 0000000000..ad6c46725c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-actions.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-actions.png
new file mode 100644
index 0000000000..dc88fe76e4
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-actions.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png
index 2c32d9780d..65eafd21ea 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png
index 10b778ae73..cdc1be01f6 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
index c9063c8fa9..0c7f50581f 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png
index da80abb64f..c90cef7b32 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png
new file mode 100644
index 0000000000..5e2258d16d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png
index 746d043732..7c10c6b14f 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png and b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-manage-tags.png b/windows/threat-protection/windows-defender-atp/images/atp-manage-tags.png
new file mode 100644
index 0000000000..fc88a55489
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-manage-tags.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png b/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png
index 6be87715e9..b97c524a43 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png and b/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png b/windows/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png
new file mode 100644
index 0000000000..3160d850e0
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-notification-restrict.png b/windows/threat-protection/windows-defender-atp/images/atp-notification-restrict.png
new file mode 100644
index 0000000000..5dbd52ce1c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-notification-restrict.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png b/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png
index 508822a2ad..b4865884d3 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png and b/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png b/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png
new file mode 100644
index 0000000000..bad96b9438
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-org-score.png b/windows/threat-protection/windows-defender-atp/images/atp-org-score.png
new file mode 100644
index 0000000000..e0e05e11be
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-org-score.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png
new file mode 100644
index 0000000000..65dc93e72c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png b/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png
new file mode 100644
index 0000000000..c8a1a31e06
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-permissions-applications.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-portal.png b/windows/threat-protection/windows-defender-atp/images/atp-portal.png
index 5f39939886..742b8deb22 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-portal.png and b/windows/threat-protection/windows-defender-atp/images/atp-portal.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png
new file mode 100644
index 0000000000..953e4af373
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png
new file mode 100644
index 0000000000..96200e68ff
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png
new file mode 100644
index 0000000000..2061e53383
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-options.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-options.png
new file mode 100644
index 0000000000..be0e101c6e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-options.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png
new file mode 100644
index 0000000000..92599b5a75
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-restrict-app.png b/windows/threat-protection/windows-defender-atp/images/atp-restrict-app.png
new file mode 100644
index 0000000000..d587e6d40a
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-restrict-app.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-run-av-scan.png b/windows/threat-protection/windows-defender-atp/images/atp-run-av-scan.png
new file mode 100644
index 0000000000..ff284e05fc
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-run-av-scan.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png b/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png
new file mode 100644
index 0000000000..47cedd37ae
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sec-coverage.png b/windows/threat-protection/windows-defender-atp/images/atp-sec-coverage.png
new file mode 100644
index 0000000000..fd2d52834b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-sec-coverage.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png
new file mode 100644
index 0000000000..1b3c80e762
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png
new file mode 100644
index 0000000000..e7f8d974bf
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png
new file mode 100644
index 0000000000..627d376ba2
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-coverage.png b/windows/threat-protection/windows-defender-atp/images/atp-security-coverage.png
new file mode 100644
index 0000000000..2a1d763b3f
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-coverage.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-improvements.png b/windows/threat-protection/windows-defender-atp/images/atp-security-improvements.png
new file mode 100644
index 0000000000..d99b7de547
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-improvements.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-server-onboarding.png b/windows/threat-protection/windows-defender-atp/images/atp-server-onboarding.png
new file mode 100644
index 0000000000..07fa544f73
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-server-onboarding.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png
index 8dcfa06ea0..191941085d 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png
index cb58fad705..1f09d12343 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png and b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png
new file mode 100644
index 0000000000..e1d37a4f65
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-tag-management.png b/windows/threat-protection/windows-defender-atp/images/atp-tag-management.png
new file mode 100644
index 0000000000..6a4b746009
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-tag-management.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png b/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png
index ea42abd060..ce515c1e79 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png and b/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png
index 1d852999b9..b08381baed 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png and b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png
new file mode 100644
index 0000000000..b0732653d6
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details.png
new file mode 100644
index 0000000000..1d852999b9
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-user-details.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png b/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png
new file mode 100644
index 0000000000..2bea8cb48d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-user-view-ata.png differ
diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
index c621085545..d2e1a9a60a 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Investigate Windows Defender Advanced Threat Protection alerts
@@ -17,6 +19,8 @@ localizationpriority: high
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Investigate alerts that are affecting your network, what they mean, and how to resolve them. Use the alert details view to see various tiles that provide information about alerts. You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them.
 
 ![Image of the alert page](images/atp-alert-details.png)
@@ -26,7 +30,7 @@ The alert context tile shows the where, who, and when context of the alert. As w
 
 For more information about managing alerts, see [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md).
 
-The alert details page also shows the alert process tree, an incident graph, and an alert timeline.
+The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
 
 You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**.
 
@@ -73,15 +77,15 @@ The **Incident Graph** expansion by destination IP Address, shows the organizati
 
 You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed.
 
-## Alert timeline
-The **Alert timeline** feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
+## Artifact timeline
+The **Artifact timeline** feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
 
-![Image of alert timeline](images/atp-alert-timeline.png)
+![Image of artifact timeline](images/atp-alert-timeline.png)
 
 Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
 - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
index b107b3b042..6c5effd35b 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Investigate a domain associated with a Windows Defender ATP alert
 
@@ -20,6 +22,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
 
 You can see information from the following sections in the URL view:
@@ -44,7 +48,7 @@ The **Communication with URL in organization** section provides a chronological
 5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
index ebf5a67b89..afb66067f3 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Investigate a file associated with a Windows Defender ATP alert
 
@@ -20,31 +22,36 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
 
 You can get information from the following sections in the file view:
 
 - File details, Malware detection, Prevalence worldwide
--	Deep analysis
--	Alerts related to this file
--	File in organization
--	Most recent observed machines with file
-
+- Deep analysis
+- Alerts related to this file
+- File in organization
+- Most recent observed machines with file
 
+## File worldwide and Deep analysis
 The file details, malware detection, and prevalence worldwide sections display various attributes about the file. You’ll see actions you can take on the file. For more information on how to take action on a file, see [Take response action on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md).
 
-You'll also see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis).
+You'll see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis).
 
 ![Image of file information](images/atp-file-information.png)
 
+## Alerts related to this file
 The **Alerts related to this file** section provides a list of alerts that are associated with the file. This list is a simplified version of the Alerts queue, and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
 
 ![Image of alerts related to the file section](images/atp-alerts-related-to-file.png)
 
+## File in organization
 The **File in organization** section provides details on the prevalence of the file, prevalence in email inboxes and the name observed in the organization.
 
 ![Image of file in organization](images/atp-file-in-org.png)
 
+## Most recent observed machinew with the file
 The **Most recent observed machines with the file** section allows you to specify a date range to see which machines have been observed with the file.
 
 ![Image of most recent observed machine with the file](images/atp-observed-machines.png)
@@ -52,7 +59,7 @@ The **Most recent observed machines with the file** section allows you to specif
 This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
index b531ee93f6..0efb6d5061 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Investigate an IP address associated with a Windows Defender ATP alert
 
@@ -20,6 +22,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Examine possible communication between your machines and external internet protocol (IP) addresses.
 
 Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
@@ -52,7 +56,7 @@ Use the search filters to define the search criteria. You can also use the timel
 Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index 435dc1a3c2..f437a524b9 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -1,14 +1,16 @@
 ---
 title: Investigate machines in the Windows Defender ATP Machines list
-description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines list.
-keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity
+description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health.
+keywords: machines, endpoints, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Investigate machines in the Windows Defender ATP Machines list
@@ -17,6 +19,8 @@ localizationpriority: high
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 ## Investigate machines
 Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
 
@@ -24,39 +28,43 @@ You can click on affected machines whenever you see them in the portal to open a
 
 - The [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
 - The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
-- The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- The [Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - Any individual alert
 - Any individual file details view
 - Any IP address or domain details view
 
 When you investigate a specific machine, you'll see:
--	Machine details, Logged on users, and Machine Reporting
+- Machine details, Logged on users, and Machine Reporting
 - Alerts related to this machine
 - Machine timeline
 
-![Image of machine details page](images/atp-machine-details-view.png)
+![Image of machine view](images/atp-machine-details-view.png)
 
-The machine details, total logged on users and machine reporting sections display various attributes about the machine. You’ll see details such as machine name, health state, actions you can take on the machine, and others. For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md).
+The machine details, total logged on users, and machine reporting sections display various attributes about the machine.
 
-You'll also see other information such as domain, operating system (OS) and build, total logged on users and who frequently and less frequently logged on, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service.
+The machine details tile provides information such as the domain and OS of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package.
+
+For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md).
 
 Clicking on the number of total logged on users in the Logged on users tile opens the Users Details pane that displays the following information for logged on users in the past 30 days:
 
 -	Interactive and remote interactive logins
 -	Network, batch, and system logins
 
-![Image of user details pane](images/atp-user-details-pane.png)
+![Image of user details pane](images/atp-user-details.png)
 
 You'll also see details such as logon types for each user account, the user group, and when the account logon occurred.
 
  For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
 
+## Alerts related to this machine
 The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts).
 
 This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. You'll also see a list of displayed alerts and you'll be able to quickly know the total number of alerts on the machine.
 
 You can also choose to highlight an alert from the **Alerts related to this machine** or from the  **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**.
 
+## Machine timeline
 The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.
 
 This feature also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period.  
@@ -71,38 +79,39 @@ Use the search bar to look for specific timeline events. Harness the power of us
 
 -	**Value** - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search supports defined search queries based on type:value pairs.<br>
   You can use any of the following values:<br>
-  - Hash: Sha1 or MD5
-  - File name
-  - File extension
-  - Path
-  - Command line
-  - User
-  - IP
-  - URL
+    - Hash: Sha1 or MD5
+    - File name
+    - File extension
+    - Path
+    - Command line
+    - User
+    - IP
+    - URL
+
 -	**Informational level** – Click the drop-down button to filter by the following levels:
-  - Detections mode: displays Windows ATP Alerts and detections
-  -	Behaviors mode: displays "detections" and selected events of interest
-  -	Verbose mode: displays all raw events without aggregation or filtering
+    - Detections mode: displays Windows ATP Alerts and detections
+    -	Behaviors mode: displays "detections" and selected events of interest
+    -	Verbose mode: displays all raw events without aggregation or filtering
 
 - **Event type** - Click the drop-down button to filter by the following levels:
-  - Windows Defender ATP alerts
-  - Windows Defender AV alerts
-  - Response actions
-  - AppGuard related events
-  - Windows Defender Device Guard events
-  - Process events
-  - Network events
-  - File events
-  - Registry events
-  - Load DLL events
-  - Other events <br><br>
-  Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.
+    - Windows Defender ATP alerts
+    - Windows Defender AV alerts
+    - Response actions
+    - AppGuard related events
+    - Windows Defender Device Guard events
+    - Process events
+    - Network events
+    - File events
+    - Registry events
+    - Load DLL events
+    - Other events <br><br>
+    Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.
 
 -	**User account** – Click the drop-down button to filter the machine timeline by the following user associated events:
-  -	Logon users
-  -	System
-  -	Network
-  -	Local service
+    -	Logon users
+    -	System
+    -	Network
+    -	Local service
 
 The following example illustrates the use of type:value pair. The events were filtered by searching for the user jonathan.wolcott and network events as the event type:
 
@@ -132,14 +141,16 @@ From the list of events that are displayed in the timeline, you can examine the
 ![Image of machine timeline details pane](images/atp-machine-timeline-details-panel.png)
 
 
-You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) feature to see the correlation between alerts and events on a specific machine.
+You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.
 
 Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigate additional details of the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of metadata on the file or IP address.
 
 The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context.
 
+
+
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
index 9f45aa0817..52c8a9583f 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Investigate a user account in Windows Defender ATP
 
@@ -20,6 +22,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 ## Investigate user account entities
 Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account.
 
@@ -35,7 +39,7 @@ When you investigate a user account entity, you'll see:
 - Alerts related to this user
 - Observed in organization (machines logged on to)
 
-![Image of the user account entity details page](images/atp-user-details-view.png)
+![Image of the user account entity details page](images/atp-user-details-view-tdp.png)
 
 The user account entity details and logged on machines section display various attributes about the user account. You'll see details such as when the user was first and last seen and the total number of machines the user logged on to. You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
 
@@ -63,7 +67,7 @@ You can filter the results by the following time periods:
 - 6 months
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5d32e4419b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,66 @@
+---
+title: Is domain seen in org API
+description: Use this API to create calls related to checking whether a domain was seen in the organization.
+keywords: apis, graph api, supported apis, domain, domain seen
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Is domain seen in org
+Answers whether a domain was seen in the organization. 
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/domains/{id}/
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK.
+If domain does not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/domains/{id}
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains/$entity",
+    "host": "example.com"
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..9dfc6cd763
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,66 @@
+---
+title: Is IP seen in org API
+description: Answers whether an IP was seen in the organization.
+keywords: apis, graph api, supported apis, is, ip, seen, org, organization
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Is IP seen in org
+Answers whether an IP was seen in the organization.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/ips/{id}/
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP exists - 200 OK.
+If IP do not exist - 404 Not Found.
+
+
+## Example
+
+Request
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/ips/{id}
+Content-type: application/json
+```
+
+Response
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips/$entity",
+    "id": "192.168.1.1"
+}
+```
diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index ddcf2f5185..4fa77ae8f4 100644
--- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # View and organize the Windows Defender ATP Machines list
@@ -21,19 +23,21 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
 
 Use the Machines list in these main scenarios:
 
-- **During onboarding**</br>
+- **During onboarding**<br>
   During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
-- **Day-to-day work**
+- **Day-to-day work** <br>
   The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
 
 ## Sort, filter, and download the list of machines from the Machines list
 You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order.  
 
-Filter the **Machines list** by time period, **OS Platform**, **Health**, or **Malware category alerts** to focus on certain sets of machines, according to the desired criteria.  
+Filter the **Machines list** by time period, **OS Platform**, **Health**, **Security state**, **Malware category alerts**, or **Groups** to focus on certain sets of machines, according to the desired criteria.  
 
 You can also download the entire list in CSV format using the **Export to CSV** feature.
 
@@ -52,14 +56,22 @@ You can use the following filters to limit the list of machines displayed during
 - Windows 10
 - Windows Server 2012 R2
 - Windows Server 2016
+- Linux
+- Mac OS
 - Other
 
+**Health**</br>
+- All
+- Well configure
+- Requires attention - Depending on the Windows Defender security controls configured in your enterprise, you'll see various available filters.
+ 
+
 **Sensor health state**</br>
 Filter the list to view specific machines grouped together by the following machine health states:
 
 - **Active** – Machines that are actively reporting sensor data to the service.
--	**Misconfigured** – Machines that have impaired communication with service or are unable to send sensor data. Misconfigured machines can further be classified to:
-  - Impaired communication
+-	**Misconfigured** – Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to:
+  - Impaired communications
   - No sensor data
 
   For more information on how to address issues on misconfigured machines see,  [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
@@ -100,7 +112,7 @@ You can sort the **Machines list** by the following columns:
 
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
index 7ad9b687cb..be0229d1d1 100644
--- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Manage Windows Defender Advanced Threat Protection alerts
@@ -21,7 +23,9 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
+[!include[Prerelease information](prerelease.md)]
+
+Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue** menu.
 
 You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view.
 
@@ -51,10 +55,9 @@ Whenever a change or comment is made to an alert, it is recorded in the **Commen
 Added comments instantly appear on the pane.
 
 ## Suppress alerts
+There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. 
 
-Windows Defender ATP lets you create suppression rules so you can limit the alerts you see in the **Alerts queue**.
-
-Suppression rules can be created from an existing alert.
+Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
 
 When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
 
@@ -63,7 +66,9 @@ There are two contexts for a suppression rule that you can choose from:
 - **Suppress alert on this machine**
 - **Suppress alert in my organization**
 
-The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule:
+The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal.
+
+You can use the examples in the following table to help you choose the context for a suppression rule:
 
 | **Context**                           | **Definition**                                                                                                                                              | **Example scenarios**                                                                                                                                                                                                  |
 |:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -86,38 +91,31 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
 
   > [!NOTE]
   > You cannot create a custom or blank suppression rule. You must start from an existing alert.
+
 4. Specify the conditions for when the rule is applied:
-  - Alert title
-  - Indicator of compromise (IOC)
-  - Suppression conditions
+    - Alert title
+    - Indicator of compromise (IOC)
+    - Suppression conditions
 
     > [!NOTE]
-    > The SHA1 of the alert cannot be modified
-5. Specify the action and scope on the alert. You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. You can also specify to suppress the alert on the machine only or the whole organization.
+    > The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions.
+    
+5. Specify the action and scope on the alert. <br>
+   You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on the machine only or the whole organization.
 
 6. Click **Save and close**.
 
 
-**See the list of suppression rules:**
+### View the list of suppression rules
 
-1. Click the settings icon ![The settings icon looks like a cogwheel or gear](images/settings.png) on the main menu bar at the top of the Windows Defender ATP screen.
-2. Click **Suppression rules**.
+1. Click **Alerts queue** > **Suppression rules**.
 
-  ![Click the settings icon and then Suppression rules to create and modify rules](images/atp-suppression-rules.png)
-
-The list of suppression rules shows all the rules that users in your organization have created.
-![Suppression rules show the rule name or title, the context, the date, and an icon to delete the rule](images/rules-legend.png)
-
-Each rule shows:
-
-- (1) The title of the alert that is suppressed
-- (2) Whether the alert was suppressed for a single machine (clicking the machine name will allow you to investigate the machine) or the entire organization
-- (3) The date when the alert was suppressed
-- (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards.
+2. The list of suppression rules shows all the rules that users in your organization have created.
 
+You can select rules to open up the **Alert management** pane. From there, you can activate previously disabled rules.
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 82efa42cc1..158de675fc 100644
--- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: iaanw
-localizationpriority: high
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Minimum requirements for Windows Defender ATP
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 There are some minimum requirements for onboarding your network and endpoints.
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)
@@ -116,10 +120,12 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
     sc qc diagtrack
     ```
 
-## Windows Defender signature updates are configured
-The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
+## Windows Defender Antivirus signature updates are configured
+The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. If Windows Defender Antivirus is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
 
-When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
+When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
+
+For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
 
 ## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
 If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index 0acb1a9351..d5a674a071 100644
--- a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: iaanw
-localizationpriority: high
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Onboard and set up Windows Defender Advanced Threat Protection
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You need to onboard to Windows Defender ATP before you can use the service.
 
 For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
@@ -37,6 +41,7 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us
 ## In this section
 Topic | Description
 :---|:---
-[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise.
+[Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise.
+[Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) |  Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP 
 [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
 [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.
diff --git a/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..2f535cb869
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,33 @@
+---
+title: Optimize Windows Defender Antivirus
+description:
+keywords:
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Optimize Windows Defender Antivirus
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+The Antivirus optimization tile provides a list of recommendations to affected machines. Taking action on the recommendations will help improve your overall organizational security:
+
+- [Use Windows Defender AV with Windows Defender ATP](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
+- [Turn on cloud-delivered protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
+- [Turn on protection from potentially unwanted applications](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
+- [Turn on real-time protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
+- [Update antivirus protection and definitions](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index 6104ea6ffb..7a8e8393e6 100644
--- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: DulceMV
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender Advanced Threat Protection portal overview
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
 
 You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
@@ -45,14 +49,14 @@ You can navigate through the portal using the menu options available in all sect
 Area | Description
 :---|:---
 (1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text.  </br> **Feedback** -Access the feedback button to provide comments about the portal. </br> **Settings** - Gives you access to the configuration settings where you can set time zones, alert suppression rules, and license information. </br> **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.
-(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**.
-**Dashboard**	| Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
+(2) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**.
+**Dashboards**	| Enables you to view the Security operations or the Security analytics dashboard.
 **Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
 **Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
 **Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
 **Preferences setup** |	Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features.
 **Endpoint management** |	Allows you to download the onboarding configuration package. It provides access to endpoint offboarding.
-(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines list.
+(3) Main portal| Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
 
 ## Windows Defender ATP icons
 The following table provides information on the icons used all throughout the portal:
diff --git a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..1419c95077
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,134 @@
+---
+title: Create and build Power BI reports using Windows Defender ATP data
+description: Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources.
+keywords: preferences setup, power bi, power bi service, power bi desktop, reports, dashboards, connectors , security insights, mashup
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+ms.date: 09/05/2017
+---
+# Create and build Power BI reports using Windows Defender ATP data
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI. 
+
+Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph.
+
+Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization. 
+
+You can easily get started by:
+- Creating a dashboard on the Power BI service 
+- Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization 
+
+You can access these options from the Windows Defender ATP portal. Both the Power BI service and Power BI Desktop are supported. 
+
+## Create a Windows Defender ATP dashboard on Power BI service
+Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. 
+
+1. In the navigation pane, select **Preferences setup** > **Power BI reports**.
+
+2.	Click **Create dashboard**. This opens up a new tab in your browser and loads the Power BI service with data from your organization.
+
+    ![Preferences setup with create dashboard button](images/atp-create-dashboard.png)
+
+    >[!NOTE]
+    >Loading your data in the Power BI service can take a few minutes.
+
+3. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
+
+      ![Consent image](images/atp-powerbi-consent.png)
+
+4.	Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. 
+
+When the dashboard is ready, you’ll get a notification within the Power BI website. Use the link in the portal to the Power BI console after creating the dashboard.
+
+For more information, see [Create a Power BI dashboard from a report](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-create-a-dashboard/).
+
+## Build a custom Windows Defender ATP dashboard in Power BI Desktop
+You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.  
+
+### Before you begin
+1.	Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
+
+2.	In the Windows Defender ATP portal navigation pane, select **Preferences setup** > **Power BI reports**.
+
+3.	Click **Download connector** to download the WDATPPowerBI.zip file and extract it.
+
+    ![Preferences setup with download connector button](images/atp-download-connector.png)
+
+4.	Create a new directory `Microsoft Power BI Desktop\Custom Connectors` under the user's Documents folder.
+
+5.	Copy WDATPDataConnector.mez from the zip to the directory you just created.
+
+6.	Open Power BI Desktop.
+
+7.	Click **File** > **Options and settings** > **Custom data connectors**.
+
+8.	Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
+
+    ![Power BI options page](images/atp-powerbi-options.png)
+
+9. Restart Power BI Desktop.
+
+## Customize the Windows Defender ATP Power BI dashboard
+After completing the steps in the Before you begin section, you can proceed with building your custom dashboard.
+
+1.	Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
+
+2.	If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
+
+    ![Consent image](images/atp-powerbi-consent.png)
+
+3.	Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
+
+## Mashup Windows Defender ATP data with other data sources
+You can use Power BI Desktop to analyse data from Windows Defender ATP and mash that data up with other data sources to gain better security perspective in your organization.
+
+1.	In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Windows Defender Advanced Threat Protection**.
+
+    ![Get data in Power BI](images/atp-powerbi-get-data.png)
+
+2. Click **Connect**.
+
+3.	On the Preview Connector windows, click **Continue**. 
+
+    ![Power BI preview connector](images/atp-powerbi-preview.png) 
+
+4.	If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
+
+    ![Consent image](images/atp-powerbi-consent.png)
+
+5.	Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
+
+6.	In the Navigator dialog box, select the Windows Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
+
+     ![Power BI navigator page](images/atp-powerbi-navigator.png)
+
+7.	Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
+
+8.	Add visuals and select fields from the available data sources. 
+
+## Related topics
+- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+
+
+
+
diff --git a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
index c34193f76e..e3960714e7 100644
--- a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # PowerShell code examples for the custom threat intelligence API
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 This article provides PowerShell code examples for using the custom threat intelligence API.
 
 These code examples demonstrate the following tasks:
diff --git a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
index e2904380b5..beade9fba5 100644
--- a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Configure Windows Defender ATP preferences settings
 
@@ -20,6 +22,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Use the **Preferences setup** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
 
 ## In this section
@@ -32,3 +36,4 @@ Topic | Description
 [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications.
 [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) | Enable security information and event management (SIEM) integration to pull alerts from the Windows Defender ATP portal using your SIEM solution.
 [Enable Threat intel API](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application.
+[Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) | Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources.
diff --git a/windows/threat-protection/windows-defender-atp/prerelease.md b/windows/threat-protection/windows-defender-atp/prerelease.md
new file mode 100644
index 0000000000..315e4f96d8
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/prerelease.md
@@ -0,0 +1,3 @@
+>[!IMPORTANT]
+
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
index 1c4dcb2648..ec38ff1fd1 100644
--- a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 # Turn on the preview experience in Windows Defender ATP
 
@@ -20,6 +22,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Turn on the preview experience setting to be among the first to try upcoming features.
 
 1. In the navigation pane, select **Preferences setup** > **Preview experience**.
@@ -31,3 +35,4 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
 - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 - [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index 8fb19c7e1a..096f49bab4 100644
--- a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender ATP preview features
@@ -21,6 +23,7 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
 
@@ -34,4 +37,34 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 2. Toggle the setting between **On** and **Off** and select **Save preferences**.
 
 ## Preview features
-There are currently no preview only features.
+The following features are included in the preview release:
+
+- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)<br>
+You can now onboard VDI machines to the Windows Defender ATP service.
+
+- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md)<br>
+Windows Defender ATP supports the onboarding of the following servers:
+    - Windows Server 2012 R2
+    - Windows Server 2016
+
+- [View the Windows Defender ATP Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)<br>
+The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
+
+- [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)<br>
+You can lock down a device and prevent subsequent attempts of potentially malicious programs from running.
+
+- [Run Windows Defender Antivirus scan on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)<br>
+As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
+
+- [Manage machine group and tags](respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)<br>
+Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
+
+- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
+Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph.
+
+- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)<br>
+    Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities.
+
+
+    
+
diff --git a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index 2c68f00d27..ebf7206b49 100644
--- a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Pull Windows Defender ATP alerts using REST API
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal.
 
 In general, the OAuth 2.0 protocol supports four types of flows:
diff --git a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
index dc44b7cbea..607ab8d422 100644
--- a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Python code examples for the custom threat intelligence API
@@ -21,6 +23,7 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 ## Before you begin
 You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library.
diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 220ed86e05..328a0ff719 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Take response actions on a file
@@ -21,6 +23,7 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
 
@@ -32,29 +35,29 @@ You can also submit files for deep analysis to run the file in a secure cloud sa
 ## Stop and quarantine files in your network
 You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed.
 
-The **Stop & Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
+The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
 
 The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days.
 
 ### Stop and quarantine files
 1.	Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
 
-  - **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
+  - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
   - **Search box** - select File from the drop–down menu and enter the file name
 
-2.	Open the **Actions menu** and select **Stop & Quarantine File**.
+2.	Open the **Actions menu** and select **Stop and Quarantine File**.
     ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png)
 
-3. Type a comment (optional), and select **Yes** to take action on the file. The comment will be saved in the Action center for reference.
+3. Type a comment and select **Yes, stop and quarantine** to take action on the file.
+    ![Image of stop and quarantine file](images/atp-stop-quarantine.png)
 
   The Action center shows the submission information:
     ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png)
 
-    -	**Submission time** - Shows when the action was submitted. <br>
-    -	**Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. <br>
-    -	**Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.<br>
-    -	**Success** - Shows the number of machines where the file has been stopped and quarantined.<br>
-    -	**Failed** - Shows the number of machines where the action failed and details about the failure.<br>
+   - **Submission time** - Shows when the action was submitted.
+   - **Success** - Shows the number of machines where the file has been stopped and quarantined.
+   - **Failed** - Shows the number of machines where the action failed and details about the failure.
+   - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
 
 4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
 
@@ -103,14 +106,17 @@ This feature is designed to prevent suspected malware (or potentially malicious
 
   ![Image of preferences setup](images/atp-preferences-setup.png)
 
-3. Type a comment (optional) and select **Yes** to take action on the file.
-The Action center shows the submission information:
 
-  ![Image of block file](images/atp-blockfile.png)
+3. Type a comment and select **Yes, block file** to take action on the file.
+
+
+    The Action center shows the submission information:
+
+    ![Image of block file](images/atp-blockfile.png)
 
   - **Submission time** - Shows when the action was submitted. <br>
-  -	**Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. <br>
-  -	**Status** - Indicates whether the file was added to or removed from the blacklist.
+  - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. <br>
+  - **Status** - Indicates whether the file was added to or removed from the blacklist.
 
 When the file is blocked, there will be a new event in the machine timeline.</br>
 
@@ -129,9 +135,9 @@ For prevalent files in the organization, a warning is shown before an action is
 ### Remove file from blocked list
 1.	Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
 
-  -	**Alerts** - Click the file links from the Description or Details in the Alert timeline <br>
-  -	**Machines list** - Click the file links in the Description or Details columns in the Observed on machine section <br>
-  -	**Search box** - Select File from the drop–down menu and enter the file name
+  - **Alerts** - Click the file links from the Description or Details in the Artifact timeline <br>
+  - **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section <br>
+  - **Search box** - Select File from the drop–down menu and enter the file name
 
 2.	Open the **Actions** menu and select **Remove file from blocked list**.
 
@@ -174,7 +180,7 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
 **Submit files for deep analysis:**
 
 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: <br>
-  - Alerts - click the file links from the **Description** or **Details** in the Alert timeline <br>
+  - Alerts - click the file links from the **Description** or **Details** in the Artifact timeline <br>
   - **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section <br>
   - Search box - select **File** from the drop–down menu and enter the file name <br>
 2. In the **Deep analysis** section of the file view, click **Submit**.
@@ -228,4 +234,4 @@ HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
 > If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
 
 ## Related topics
-– [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index d0c899983f..0879c73c17 100644
--- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -1,14 +1,16 @@
 ---
 title: Take response actions on a machine in Windows Defender ATP
-description: Take response actions on a machine by isolating machines, collecting an investigation package, and checking activity details.
-keywords: respond, isolate, isolate machine, collect investigation package, action center
+description: Take response actions on a machine such as isolating machines, collecting an investigation package, managing tags, running av scan, and restricting app execution.
+keywords: respond, isolate, isolate machine, collect investigation package, action center, restrict, manage tags, av scan, restrict app
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Take response actions on a machine
@@ -21,59 +23,60 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
 
 >[!NOTE]
 > These response actions are only available for machines on Windows 10, version  1703.
 
-## Isolate machines from the network
-Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
+## Manage machine group and tags
+Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident. 
 
-This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
+Machine related properties are being extended to account for:
 
->[!NOTE]
->You’ll be able to reconnect the machine back to the network at any time.
+- Group affiliation
+- Dynamic context capturing  
 
-1.	Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
 
-  -	**Dashboard** - Select the machine name from the Top machines with active alerts section.
-  -	**Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-  -	**Machines list** - Select the machine name from the list of machines.
-  -	**Search box** - Select Machine from the drop-down menu and enter the machine name.
 
-2.	Open the **Actions** menu and select **Isolate machine**.
+### Group machines
+Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines.
 
-  ![Image of isolate machine](images/atp-isolate-machine.png)
+Machine group is defined in the following registry key entry of the machine:
 
-3. Type a comment (optional) and select **Yes** to take action on the machine.
-  >[!NOTE]
-  >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network.
+-	Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
+-	Registry key value (string): Group
 
-  The Action center shows the submission information:
-  ![Image of machine isolation](images/atp-machine-isolation.png)
 
-  -	**Submission time** - Shows when the isolation action was submitted.
-  -	**Submitting user** - Shows who submitted the action on the machine. You can view the comments provided by the user by selecting the information icon.
-  -	**Status** - Indicates any pending actions or the results of completed actions.
+### Set standard tags on machines
+Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
 
-When the isolation configuration is applied, there will be a new event in the machine timeline.
+1.	Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
 
-**Notification on machine user**:</br>
-When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
+    -	**Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+    -	**Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+    -	**Machines list** - Select the machine name from the list of machines.
+    -	**Search box** - Select Machine from the drop-down menu and enter the machine name.
 
-![Image of no network connection](images/atp-notification-isolate.png)
+    You can also get to the alert page through the file and IP views.
 
-## Undo machine isolation
-Depending on the severity of the attack and the state of the machine you can choose to release the machine isolation after you have verified that the compromised machine has been remediated.
+2.	Open the **Actions** menu and select **Manage tags**.
 
-1.	Select a machine that was previously isolated.
+    ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
 
-2.	Open the **Actions** menu and select **Undo machine isolation**.
+3. Enter tags on the machine. To add more tags, click the + icon.
+4. Click **Save and close**. 
 
-  ![Image of undo isolation](images/atp-undo-isolation.png)
+    ![Image of adding tags on a machine](images/atp-save-tag.png)
+
+    Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines.
+
+### Manage machine tags
+You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. 
+
+![Image of adding tags on a machine](images/atp-tag-management.png)
 
-3.	Type a comment (optional) and select **Yes** to take action on the file. The machine will be reconnected to the network.
 
 ## Collect investigation package from machines
 As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
@@ -82,35 +85,40 @@ You can download the package (Zip file) and investigate the events that occurred
 
 The package contains the following folders:
 
-Folder | Description
-:---|:---
-Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”
-Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).
-Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> -	ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> -	Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
-Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder –  Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.
-Processes | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state.
-Scheduled tasks | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically.
-Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer.
-Services | Contains the services.txt file which lists services and their states.
-Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound).
-Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may have dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.
-Users and Groups | Provides a list of files that each represent a group and its members.
-CollectionSummaryReport.xls | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.
+| Folder                                      | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+|:--------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Autoruns                                    | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| Installed programs                          | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+| Network connections                         | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> -	ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> -	Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. |
+| Prefetch files                              | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder –  Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| Processes                                   | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| Scheduled tasks                             | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| Security event log                          | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| Services                                    | Contains the services.txt file which lists services and their states.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| Temp Directories                            | Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may have dropped on the system. </br></br> NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+| Users and Groups                            | Provides a list of files that each represent a group and its members.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| CollectionSummaryReport.xls                 | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 
 1.	Select the machine that you want to investigate. You can select or search for a machine from any of the following views:
 
-  -	**Dashboard** - Select the machine name from the Top machines with active alerts section.
-  -	**Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-  -	**Machines list** - Select the heading of the machine name from the machines list.
-  -	**Search box** - Select Machine from the drop-down menu and enter the machine name.
+  - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+  - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+  - **Machines list** - Select the heading of the machine name from the machines list.
+  - **Search box** - Select Machine from the drop-down menu and enter the machine name.
 
 2.	Open the **Actions** menu and select **Collect investigation package**.
 
+    ![Image of collect investigation package action](images/atp-actions-collect-investigation-package.png)
+
+3.  Type a comment and select **Yes, collect package** to take action on the machine.
+  
+    ![Image of notification to collect package](images/atp-notification-collect-package.png)
+
     The Action center shows the submission information:
-    ![Image of investigation package in action center](images/atp-investigation-package-action-center.png)
+    ![Image of investigation package in action center](images/atp-action-center-package-collection.png)
 
     - **Submission time** - Shows when the action was submitted.
-    -	**Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
     -	**Status** - Indicates if the package was successfully collected from the network. When the collection is complete, you can download the package.
 
 3.	Select **Package available** to download the package. </br>
@@ -121,8 +129,152 @@ CollectionSummaryReport.xls | This file is a summary of the investigation packag
 
     You can also search for historical packages in the machine timeline.
 
+## Run Windows Defender Antivirus scan on machines
+As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
+
+>[!NOTE]
+> A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not.
+
+1.	Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views:
+
+  - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+  - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+  - **Machines list** - Select the machine name from the list of machines.
+  - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+2.	Open the **Actions** menu and select **Run antivirus scan**.
+
+    ![Image of run antivirus scan](images/atp-actions-run-av.png)
+    
+3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
+
+    ![Image of notification to select quick scan or full scan and add comment](images/atp-av-scan-notification.png)
+    
+
+4. Type a comment and select **Yes, run scan** to start the scan.<br>
+
+    The Action center shows the scan information:
+
+    ![Image of action center with antivirus scan](images/atp-av-scan-action-center.png)
+
+    - **Submission time** - Shows when the isolation action was submitted.
+    - **Status** - Indicates any pending actions or the results of completed actions.
+
+The machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan.
+
+## Restrict app execution
+In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
+
+The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities.
+
+>[!NOTE]
+>You’ll be able to reverse the restriction of applications from running at any time.
+
+1. Select the machine where you'd like to restrict an application from running from. You can select or search for a machine from any of the following views:
+
+  - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+  - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+  - **Machines list** - Select the machine name from the list of machines.
+  - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+
+2.	Open the **Actions** menu and select **Restrict app execution**.
+
+    ![Image of restrict app execution action](images/atp-actions-restrict-app-execution.png)
+
+3. Type a comment and select **Yes, restict app execution** to take action on the file.
+
+   ![Image of app restriction notification](images/atp-notification-restrict.png)
+
+    The Action center shows the submission information:
+    ![Image of action center with app restriction](images/atp-action-center-app-restriction.png)
+
+
+  - **Submission time** - Shows when the isolation action was submitted.
+  - **Status** - Indicates any pending actions or the results of completed actions.
+
+When the application execution restriction configuration is applied, a new event is reflected in the machine timeline.
+
+
+**Notification on machine user**:</br>
+When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:
+
+![Image of app restriction](images/atp-app-restriction.png) 
+
+## Remove app restriction 
+Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated.
+
+1.	Select the machine where you restricted an application from running from.
+
+2.	Open the **Actions** menu and select **Remove app restrictions**. 
+
+    ![Image of remove app restrictions](images/atp-actions-remove-app-restrictions.png)
+
+3.	Type a comment and select **Yes, remove restriction** to take action on the application. The machine application restriction will no longer apply on the machine.  
+
+
+## Isolate machines from the network
+Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
+
+This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
+
+On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
+
+>[!NOTE]
+>You’ll be able to reconnect the machine back to the network at any time.
+
+1.	Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
+
+  - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+  - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+  - **Machines list** - Select the machine name from the list of machines.
+  - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+
+2.	Open the **Actions** menu and select **Isolate machine**.
+
+    ![Image of isolate machine](images/atp-actions-isolate-machine.png)
+
+3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated.
+
+    ![Image of isolation confirmation](images/atp-confirm-isolate.png)
+
+4. Type a comment and select **Yes, isolate machine** to take action on the machine.
+  
+    >[!NOTE]
+    >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.
+
+   The Action center shows the submission information:
+    ![Image of machine isolation](images/atp-machine-isolation.png)
+
+   - **Submission time** - Shows when the isolation action was submitted.
+   - **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication.  
+
+When the isolation configuration is applied, a new event is reflected in the machine timeline.
+
+**Notification on machine user**:</br>
+When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
+
+![Image of no network connection](images/atp-notification-isolate.png)
+
+## Release machine from isolation
+Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated.
+
+1.	Select a machine that was previously isolated.
+
+2.	Open the **Actions** menu and select **Release from isolation**.
+
+    ![Image of release from isolation](images/atp-actions-release-from-isolation.png)
+
+3.	Type a comment and select **Yes, release machine** to take action on the machine. The machine will be reconnected to the network.
+
+
 ## Check activity details in Action center
-The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view if a machine was isolated and if an investigation package is available from a machine. All related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed.
+The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details:
+
+- Investigation package collection
+- Antivirus scan
+- App restriction
+- Machine isolation
+
+All other related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed.
 
 ![Image of action center with information](images/atp-action-center-with-info.png)
 
diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
index 597cefb9a1..548e32a5b1 100644
--- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Take response actions in Windows Defender ATP
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 
 You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
 
@@ -34,7 +38,7 @@ Topic | Description
 [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)| Stop and quarantine files or block a file from your network.
 
 ## Related topics
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
 - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
 - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..4a5e44b615
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,120 @@
+---
+title: View the Security Analytics dashboard in Windows Defender ATP
+description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles. 
+keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverate, security control, improvement opportunities, edr, antivirus, av, os security updates
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# View the Windows Defender Advanced Threat Protection Security analytics dashboard
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
+
+The **Security analytics dashboard** displays a snapshot of:
+- Organizational security score
+- Security coverage
+- Improvement opportunities
+
+![Security analytics dashboard](images/atp-dashboard-security-analytics.png)
+
+## Organizational security score
+The organization security score is reflective of the average score of all the Windows Defender security controls that are configured according to the recommended baseline. You can improve this score by taking the steps in configuring each of the security controls in the optimal settings.
+
+![Organizational security score](images/atp-org-score.png)
+
+Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score.
+
+The denominator is reflective of the organizational score potential and calculated by multiplying the number of supported security controls (Security coverage pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). 
+
+
+In the example image, the total points from the **Improvement opportunities** tile add up to 279 points for the three pillars from the **Security coverage** tile.
+
+## Security coverage
+The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar contributes 100 points to the overall organizational security score. It also represents the various Windows 10 security components with an indicator of the total number of machines that are well configured and those that require attention. Hovering on top of the individual bars will show exact numbers for each category.
+
+
+![Security coverage](images/atp-sec-coverage.png)
+
+## Improvement opportunities 
+Improve your organizational security score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
+
+Click on each control to see the recommended optimizations.
+
+![Improvement opportunities](images/atp-improv-ops.png)
+
+The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action.  When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile.
+
+Recommendations that do not display a green action are informational only and no action is required. 
+
+Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. 
+
+The following image shows an example list of machines where the EDR sensor is not turned on.
+
+![Image of view machines list with a filter applied](images/atp-security-analytics-view-machines2.png)
+
+### Endpoint detection and response (EDR) optimization
+This tile provides a specific list of actions you can take on Windows Defender ATP to improve how endpoints provide sensor data to the Windows Defender ATP service.
+
+You can take the following actions to increase the overall security score of your organization:
+- Turn on sensor
+- Fix sensor data collection
+- Fix impaired communications
+
+For more  information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). 
+
+### Windows Defender Antivirus optimization
+This tile provides a list of specific list of actions you can implement on endpoints with Windows Defender Antivirus to improve the security in your organization. Each action shows the exact number of endpoints where you can apply the action on.
+
+You can take the following actions to increase the overall security score of your organization:
+
+>[!NOTE]
+> For the Windows Defender Antivirus properties to show,  you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the endpoint. 
+
+- Fix antivirus reporting
+  - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
+- Turn on antivirus
+- Update antivirus definitions
+- Turn on cloud-based protection
+- Turn on real-time protection
+- Turn on PUA protection
+
+For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md).
+
+
+### OS security updates optimization
+This tile shows you the exact number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds.
+ 
+You can take the following actions to increase the overall security score of your organization:
+- Install the latest security updates
+
+For more information on, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter).
+
+## Related topics
+- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP ](investigate-user-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
+
diff --git a/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..a6f76a8f46
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,22 @@
+---
+title:
+description:
+keywords:
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Security updates
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
index 088b4ed61a..aed38dc020 100644
--- a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Check the Windows Defender Advanced Threat Protection service health
@@ -21,16 +23,18 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
 
 You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
 
-You can view details on the service health by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane.
+You can view details on the service health by clicking the tile from the **Security operations dashboard** or selecting the **Service health** menu from the navigation pane.
 
 The **Service health** details page has the following tabs:
 
 - **Current issues**
-- **Status History**
+- **Status history**
 
 ## Current issues
 The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue:
diff --git a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
index caaafb618e..0d217af685 100644
--- a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: DulceMV
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender Advanced Threat Protection settings
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone, suppression rules, and view license information.
 
 ## Time zone settings
diff --git a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..108fefc1b7
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,38 @@
+---
+title: Supported Windows Defender Advanced Threat Protection APIs  
+description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. 
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Supported Windows Defender ATP APIs 
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
+
+## In this section
+Topic | Description
+:---|:---
+Actor | Run API calls such as get actor information and get actor related alerts.
+Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information.
+Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization.
+File | Run API calls such as get file information, file related alerts, file related machines, and file statistics.
+IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization.
+Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID.
+User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines.
+
diff --git a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index d1968d5761..f802ef999b 100644
--- a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Understand threat intelligence concepts
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious.
 
 With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index 40fc971abf..a7b4331483 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Troubleshoot custom threat intelligence issues
@@ -21,6 +23,7 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
 
 You might need to troubleshoot issues while using the custom threat intelligence feature.
 
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index a43f5f374c..30083255ae 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues.
 This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints.
 
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index c782fef5df..b04d0fdea3 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Troubleshoot SIEM tool integration issues
@@ -21,6 +23,9 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
+
 You might need to troubleshoot issues while pulling alerts in your SIEM tools.
 
 This page provides detailed steps to troubleshoot issues you might encounter.
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
index 088a82e8d9..00ddbd8987 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -7,9 +7,12 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
+
 # Troubleshoot Windows Defender Advanced Threat Protection
 
 **Applies to:**
@@ -20,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
 
 ### Server error - Access is denied due to invalid credentials
diff --git a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
index ba2be9225a..727c6135b0 100644
--- a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Use the threat intelligence API to create custom alerts
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
 
 You can use the code examples to guide you in creating calls to the custom threat intelligence API.
diff --git a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
index 6b8436e6ef..bcd359ef0c 100644
--- a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Use the Windows Defender Advanced Threat Protection portal
@@ -21,9 +23,11 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 A typical security breach investigation requires a member of a security operations team to:
 
-1. View an alert on the **Dashboard** or **Alerts queue**
+1. View an alert on the **Security operations dashboard** or **Alerts queue**
 2. Review the indicators of compromise (IOC) or indications of attack (IOAs)
 3. Review a timeline of alerts, behaviors, and events from the machine
 4. Manage alerts, understand the threat or potential breach, collect information to support taking action, and resolve the alert
@@ -32,13 +36,14 @@ A typical security breach investigation requires a member of a security operatio
 
 Security operation teams can use Windows Defender ATP portal to carry out this end-to-end process without having to leave the portal.
 
-Teams can monitor the overall status of enterprise endpoints from the **Dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance.
+Teams can monitor the overall status of enterprise endpoints from the **Security operations dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance.
 
 ### In this section
 
 Topic | Description
 :---|:---
-[View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP  **Dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
+[View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP  **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
+[View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Security Analytics dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
 [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues.
 [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
 [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 8f73a17944..4f308f2bea 100644
--- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -7,8 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
+ms.date: 09/05/2017
 ---
 
 # Windows Defender Advanced Threat Protection
@@ -21,6 +23,8 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[!include[Prerelease information](prerelease.md)]
+
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)
 >
 >For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
@@ -94,6 +98,7 @@ Topic | Description
 [Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise.
 [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) | Learn about pulling alerts from the Windows Defender ATP portal using supported security information and events management (SIEM) tools.
 [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) | Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
+[Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) | Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI. 
 [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) | Check the sensor health state on endpoints to verify that they are providing sensor data and communicating with the Windows Defender ATP service.
 [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Use the Preferences setup menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
 [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) | Configure time zone settings, suppression rules, and view license information.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
new file mode 100644
index 0000000000..0916abe7b6
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -0,0 +1,178 @@
+---
+title: Use Attack Surface Reduction rules to prevent malware infection
+description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
+keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Reduce attack surfaces with Windows Defender Exploit Guard 
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview 
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Attack Surface Reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+Attack Surface Reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+
+The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
+
+- Executable files and scripts used in Office apps or web mail that attempt to download or run files
+- Scripts that are obfuscated or otherwise suspicious
+- Behaviors that apps undertake that are not usually inititated during normal day-to-day work
+
+See the [Attack Surface Reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule.
+
+When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+
+You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled.
+
+## Attack Surface Reduction rules
+
+The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
+
+Rule name | GUIDs 
+-|-
+Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899
+Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
+Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+
+
+### Rule: Block executable content from email client and webmail
+
+
+This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
+
+- Executable files (such as .exe, .dll, or .scr) 
+- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+- Script archive files
+
+
+
+### Rule: Block Office applications from creating child processes
+
+Office apps, such as Word or Excel, will not be allowed to create child processes. 
+
+This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
+
+### Rule: Block Office applications from creating executable content
+
+This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
+
+Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
+
+
+### Rule: Block Office applications from injecting into other processes
+
+
+Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. 
+
+This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
+
+
+
+### Rule: Impede JavaScript and VBScript to launch executables
+
+JavaScript and VBScript scripts can be used by malware to launch other malicious apps. 
+
+This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
+
+
+
+### Rule: Block execution of potentially obfuscated scripts
+
+Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. 
+
+This rule prevents scripts that appear to be obfuscated from running. 
+
+It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.
+
+
+
+
+
+## Requirements
+
+The following requirements must be met before Attack Surface Reduction will work:
+
+Windows 10 version | Windows Defender Antivirus
+- | -
+Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
+
+
+
+
+## Review Attack Surface Reduction events in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when an Attack Surface Reduction rule is triggered (or audited):
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
+
+1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+2. On the left panel, under **Actions**, click **Import custom view...**
+
+    ![](images/events-import.gif)
+
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:
+
+ Event ID | Description
+-|-
+5007 | Event when settings are changed
+1122 | Event when rule fires in Audit-mode 
+1121 | Event when rule fires in Block-mode 
+
+
+
+### Event fields
+
+- **ID**: matches with the Rule-ID that triggered the block/audit.
+- **Detection time**: Time of detection
+- **Process Name**: The process that performed the "operation" that was blocked/audited
+- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus
+
+
+ ## In this section
+
+Topic | Description 
+---|---
+[Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
+[Enable Attack Surface Reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack Surface Reduction in your network.
+[Customize Attack Surface Reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack Surface Reduction and customize the notification that appears on a user's machine when a rule blocks an app or file. 
+
diff --git a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
new file mode 100644
index 0000000000..8ca8c4120a
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -0,0 +1,82 @@
+---
+title: Test how Windows Defender EG features work
+description: Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled
+keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+# Use audit mode to evaluate Windows Defender Exploit Guard features
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+You can enable each of the features of Windows Defender Explot Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
+
+You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+
+While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
+
+You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack Surface Reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+
+This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. 
+
+You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode.
+
+
+
+Audit options | How to enable audit mode | How to view events
+- | - | -
+Audit applies to all events | [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled Folder Access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable Attack Surface Reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack Surface Reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
+Audit applies to all events | [Enable Network Protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network Protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
+Audit applies to individual mitigations | [Enable Exploit Protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit Protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
+
+
+You can also use the a custom PowerShell script that enables the features in audit mode automatically:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *Enable-ExploitGuardAuditMode.ps1* to an easily accessible location on the machine.
+
+1. Type **powershell** in the Start menu.
+
+2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
+
+3. Enter the following in the PowerShell window to enable Controlled Folder Access and Attack Surface Reduction in audie mode:
+    ```PowerShell
+    Set-ExecutionPolicy Bypass -Force
+    <location>\Enable-ExploitGuardAuditMode.ps1
+   ```
+
+      Replace \<location> with the folder path where you placed the file. 
+      
+      A message should appear to indicate that audit mode was enabled.
+
+
+## Related topics
+
+Topic | Description 
+---|---
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) 
+- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) 
+- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md)
+
+
+
diff --git a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
new file mode 100644
index 0000000000..2cda929649
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@@ -0,0 +1,99 @@
+---
+title: Help prevent ransomware and threats from encrypting and changing files
+description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware encrypting your files.
+keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Protect important folders with Controlled Folder Access
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. 
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+Controlled Folder Access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+
+All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
+
+This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
+
+A notification will appear on the machine where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+
+The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
+
+As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled Folder Access would impact your organization if it were enabled.
+
+
+
+## Requirements
+
+The following requirements must be met before Controlled Folder Access will work:
+
+Windows 10 version | Windows Defender Antivirus
+-|-
+Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
+
+
+## Review Controlled Folder Access events in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when Controlled Folder Access blocks (or audits) an app:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+
+2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+3. On the left panel, under **Actions**, click **Import custom view...**
+
+    ![](images/events-import.gif)
+
+4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1124 | Audited Controlled Folder Access event
+1123 | Blocked Controlled Folder Access event
+
+
+ ## In this section
+
+Topic | Description 
+---|---
+[Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled Folder Access works, and what events would typically be created.
+[Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled Folder Access in your network
+[Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
new file mode 100644
index 0000000000..71db423dcf
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -0,0 +1,94 @@
+---
+title: Configure how ASR works to finetune protection in your network
+description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
+keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+# Customize Attack Surface Reduction
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
+
+This topic describes how to customize Attack Surface Reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
+
+You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
+
+## Exclude files and folders
+
+You can exclude files and folders from being evaluated by Attack Surface Reduction rules. 
+
+You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode).
+
+### Use Group Policy to exclude files and folders
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
+
+6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
+
+### Use PowerShell to exclude files and folderss
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
+    ```
+
+Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list. 
+
+
+>[!IMPORTANT]
+>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+
+### Use MDM CSPs to exclude files and folders
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
+
+
+
+## Customize the notification
+
+See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+
+
+
+## Related topics
+
+- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
+- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
+- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
+
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
new file mode 100644
index 0000000000..9bde74faf6
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@@ -0,0 +1,194 @@
+---
+title: Add additional folders and apps to be protected by Windows 10
+description: Add additional folders that should be protected by Controlled Folder Access, or whitelist apps that are incorrectly blocking changes to important files.
+keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Customize Controlled Folder Access
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+This topic describes how to customize the following settings of the Controlled Folder Access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
+
+- [Add additional folders to be protected](#protect-additional-folders)
+- [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders)
+
+ ## Protect additional folders
+
+Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
+
+You can add additional folders to be protected, but you cannot remove the default folders in the default list.
+
+Adding other folders to Controlled Folder Access can be useful, for example, if you don�t store files in the default Windows libraries or you�ve changed the location of the libraries away from the defaults.
+
+You can also enter network shares and mapped drives, but environment variables and wildcards are not supported. 
+
+You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
+
+### Use the Windows Defender Security Center app to protect additional folders
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+    ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Under the **Controlled folder access** section, click **Protected folders**
+
+4. Click **Add a protected folder** and follow the prompts to add apps.
+
+    ![](images/cfa-prot-folders.png)
+
+ 
+### Use Group Policy to protect additional folders
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
+
+6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder.
+
+> [!IMPORTANT]
+> Environment variables and wildcards are not supported. 
+
+
+### Use PowerShell to protect additional folders
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Add-MpPreference -ControlledFolderAccessProtectedFolders "<the folder to be protected>"
+    ```
+
+
+Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app.
+
+
+![](images/cfa-allow-folder-ps.png)
+
+
+>[!IMPORTANT]
+>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+
+### Use MDM CSPs to protect additional folders
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. 
+
+
+
+ ## Allow specifc apps to make changes to controlled folders
+
+You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you�re finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature. 
+
+>[!IMPORTANT]
+>By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app or by using the associated PowerShell cmdlets.
+>You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
+
+
+You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.
+
+When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the whitelist and may be blocked by Controlled Folder Access.
+
+### Use the Windows Defender Security app to whitelist specific apps
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+    ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
+
+4. Click **Add an allowed app** and follow the prompts to add apps.
+
+    ![](images/cfa-allow-app.png)
+
+### Use Group Policy to whitelist specific apps
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
+
+6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
+
+
+
+### Use PowerShell to whitelist specific apps
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be whitelisted, including the path>"
+    ```
+
+    For example, to add the executable *test.exe*, located in the folder *C:\apps*, the cmdlet would be as follows:
+
+    ```PowerShell
+    Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
+    ```
+
+Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app.
+
+
+![](images/cfa-allow-app-ps.png)
+
+
+>[!IMPORTANT]
+>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+
+
+
+### Use MDM CSPs to whitelist specific apps
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. 
+
+## Customize the notification
+
+See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+
+## Related topics
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
+- [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) 
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
new file mode 100644
index 0000000000..86c947101d
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -0,0 +1,260 @@
+---
+title: Enable or disable specific mitigations used by Exploit Protection
+keywords: exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
+description: You can enable individual mitigations using the Windows Defender Security Center app or PowerShell. You can also audit mitigations and export configurations.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+# Customize Exploit Protection
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+
+Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
+
+ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+ 
+You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
+
+ This topic lists each of the mitigations available in Exploit Protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
+
+It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
+
+
+## Exploit Protection mitigations
+
+All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
+
+You can set each of the mitigations to on, off, or to their default value as indicated in the following table. Some mitigations have additional options, these are indicated in the description in the table.
+
+For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
+
+Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
+- | - | - | -
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On** | No
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On** | No
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off** | No
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On** | No
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On** | No
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off** | No
+Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | Yes
+Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | Yes
+Block remote images | Prevents loading of images from remote devices. | App-level only | Yes
+Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | Yes
+Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Windows Store signed images. | App-level only | Yes
+Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | No
+Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | Yes
+Do not allow child processes | Prevents an app from creating child processes. | App-level only | Yes
+Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes
+Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes
+Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | No
+Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | Yes
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | Yes
+
+
+
+
+### Configure system-level mitigations with the Windows Defender Security Center app
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
+
+    ![](images/wdsc-exp-prot.png)
+        
+3.	Under the **System settings** section, find the mitigation you want to configure and select either:
+    - **On by default**
+    - **Off by default**
+    -**Use default**
+
+    >[!NOTE]
+    >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
+
+    Changing some settings may required a restart, which will be indicated in red text underneath the setting.
+
+    ![](images/wdsc-exp-prot-sys-settings.png)
+
+4. Repeat this for all the system-level mitigations you want to configure.
+
+You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. 
+
+Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
+
+
+### Configure app-specific mitigations with the Windows Defender Security Center app
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
+
+    ![](images/wdsc-exp-prot.png)
+
+    
+3.	Go to the **Program settings** section and choose the app you want to apply mitigations to:
+
+    1. If the app you want to configure is already listed, click it and then click **Edit**
+    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
+        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
+        ![](images/wdsc-exp-prot-app-settings.png)
+
+
+4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
+
+5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+
+    ![](images/wdsc-exp-prot-app-settings-options.png)
+
+You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations. 
+
+Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
+
+
+ ## PowerShell reference
+
+ You can use the Windows Defender Security Center app to configure exploit protection, or you can use PowerShell cmdlets.
+
+ The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
+
+ >[!IMPORTANT]
+ >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overriden.
+
+
+ You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
+
+```PowerShell
+Get-ProcessMitigation -Name processName.exe 
+```
+
+ Use `Set` to configure each mitigation in the following format:
+
+ ```PowerShell
+Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
+```
+
+
+Where:
+
+- \<Scope>:
+    - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+    - `-System` to indicate the mitigation should be applied at the system level
+- \<Action>:
+    - `-Enable` to enable the mitigation
+    - `-Disable` to disable the mitigation
+- \<Mitigation>:
+    - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma.
+
+
+ For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
+
+ ```PowerShell
+Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
+```
+
+ >[!IMPORTANT]
+ >Seperate each mitigation option with commas.
+
+ If you wanted to apply DEP at the system level, you'd use the following command:
+
+ ```PowerShell
+Set-Processmitigation -System -Enable DEP
+```
+
+ To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app.
+
+ If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example:
+
+  ```PowerShell
+Set-Processmitigation -Name test.exe -Remove -Disable DEP
+```
+
+
+  You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. 
+
+ For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
+
+ ```PowerShell
+Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
+```
+
+You can disable audit mode by using the same command but replacing `-Enable` with `-Disable`.
+
+### PowerShell reference table
+
+This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. 
+
+<a id="cmdlets-table"></a>
+
+
+Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
+- | - | - | -
+Control flow guard (CFG) | System and app-level |   CFG,   StrictCFG,   SuppressExports  | Audit not available
+Data Execution Prevention (DEP) | System and app-level |   DEP,   EmulateAtlThunks  | Audit not available
+Force randomization for images (Mandatory ASLR) | System and app-level |   ForceRelocate  | Audit not available
+Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available
+Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available
+Validate heap integrity | System and app-level |   TerminateOnHeapError  | Audit not available
+Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode 
+Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad 
+Block remote images | App-level only |   BlockRemoteImages  | Audit not available 
+Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly 
+Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned 
+Disable extension points | App-level only |   ExtensionPoint  | Audit not available
+Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall
+Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess
+Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available 
+Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available 
+Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available 
+Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available 
+Validate handle usage | App-level only |   StrictHandle  | Audit not available
+Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available 
+Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available 
+
+
+
+<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
+
+```PowerShell
+Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll 
+```
+
+
+## Customize the notification
+
+See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+
+## Related topics
+
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Enable Exploit Protection](enable-exploit-protection.md)
+- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
new file mode 100644
index 0000000000..f2c3551f4a
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -0,0 +1,46 @@
+---
+title: Compare the features in Exploit Protection with EMET
+keywords: emet, enhanced mitigation experience toolkit, configuration, exploit
+description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview, build 16232 and later
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+
+
+
+We're still working on this content and will have it published soon!
+
+
+
+Check out the following topics for more information about Exploit Protection:
+
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Enable Exploit Protection](enable-exploit-protection.md)
+- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
new file mode 100644
index 0000000000..910db87d44
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -0,0 +1,118 @@
+---
+title: Enable ASR rules individually to protect your organization
+description: Enable ASR rules to protect your devices from attacks the use macros, scripts, and common injection techniques
+keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+# Enable Attack Surface Reduction 
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
+
+
+
+## Enable and audit Attack Surface Reduction rules
+
+You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
+
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+Attack Surface Reduction rules are identified by their unique rule ID. 
+
+You can manually add the rules by using the GUIDs in the following table:
+
+Rule description | GUIDs 
+-|-
+Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899
+Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
+Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+
+See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
+
+### Use Group Policy to enable Attack Surface Reduction rules
+
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
+
+6. Double-click the **Configure Attack Surface Reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
+    - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+        -  Block mode = 1
+        -  Disabled = 0
+        -  Audit mode = 2
+
+
+        ![](images/asr-rules-gp.png)
+
+
+        
+
+ ### Use PowerShell to enable Attack Surface Reduction rules
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID>
+    ```
+    
+You can enable the feature in audit mode using the following cmdlet:
+
+```PowerShell
+Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
+```
+
+Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
+
+
+
+### Use MDM CSPs to enable Attack Surface Reduction rules
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
+
+
+ 
+
+## Related topics
+
+- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
+- [Customize Attack Surface Reduction](customize-attack-surface-reduction.md)
+- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
new file mode 100644
index 0000000000..3471eba455
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -0,0 +1,107 @@
+---
+title: Turn on the protected folders feature in Windows 10
+keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
+description: Learn how to protect your important files by enabling Controlled Folder Access
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Enable Controlled Folder Access
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+This topic describes how to enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). 
+
+
+## Enable and audit Controlled Folder Access
+
+You can enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
+
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+
+### Use the Windows Defender Security app to enable Controlled Folder Access
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+    ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Set the switch for the feature to **On**
+
+    ![](images/cfa-on.png)
+
+### Use Group Policy to enable Controlled Folder Access
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
+
+6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
+    - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
+    - **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
+    - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+
+    ![](images/cfa-gp-enable.png)
+
+>[!IMPORTANT]
+>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+
+### Use PowerShell to enable Controlled Folder Access
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Set-MpPreference -EnableControlledFolderAccess Enabled
+    ```
+
+You can enable the feauting in audit mode by specifying `AuditMode` instead of `Enabled`.
+
+Use `Disabled` to turn the feature off.
+
+### Use MDM CSPs to enable Controlled Folder Access
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. 
+
+
+## Related topics
+
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
+- [Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md) 
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
new file mode 100644
index 0000000000..90e6cd1782
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@@ -0,0 +1,76 @@
+---
+title: Turn on Exploit Protection to help mitigate against attacks
+keywords: exploit, mitigation, attacks, vulnerability
+description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Enable Exploit Protection
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+
+Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection. 
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+
+
+## Enable and audit Exploit Protection
+
+You enable and configure each Exploit Protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. 
+
+The mitigations available in Exploit Protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network. 
+
+You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
+
+For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+You can also convert an existing EMET configuration file (in XML format) and import it into Exploit Protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
+
+See the following topics for instructions on configuring Exploit Protection mitigations and importing, exporting, and converting configurations:
+
+1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md)
+2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md).
+
+
+## Related topics
+
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
+
+
+
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
new file mode 100644
index 0000000000..4e8f0eea70
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
@@ -0,0 +1,100 @@
+---
+title: Turn Network Protection on
+description: Enable Network Protection with Group Policy, PowerShell, or MDM CSPs
+keywords: ANetwork Protection, exploits, malicious website, ip, domain, domains, enable, turn on
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+# Enable Network Protection
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+
+This topic describes how to enable Network Protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
+
+
+## Enable and audit Network Protection
+
+You can enable Network Protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
+
+For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+
+### Use Group Policy to enable or audit Network Protection
+
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection**.
+
+6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section you must specify one of the following:
+    - **Block** - Users will not be able to access malicious IP addresses and domains
+    - **Disable (Default)** - The Network Protection feature will not work. Users will not be blocked from accessing malicious domains
+    - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
+
+
+>[!IMPORTANT]
+>To fully enable the Network Protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
+
+
+ ### Use PowerShell to enable or audit Network Protection
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```
+    Set-MpPreference -EnableNetworkProtection Enabled
+    ```
+
+You can enable the feauting in audit mode using the following cmdlet:
+
+```
+Set-MpPreference -EnableNetworkProtection AuditMode
+```
+
+Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
+
+
+
+### Use MDM CSPs to enable or audit Network Protection
+
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network Protection.
+
+
+## Related topics
+
+- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
+- [Evaluate Network Protection](evaluate-network-protection.md)
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
new file mode 100644
index 0000000000..1e5a5acdee
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -0,0 +1,249 @@
+---
+title: Use a demo to see how ASR can help protect your devices
+description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks
+keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+# Evaluate Attack Surface Reduction rules
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+
+
+Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). 
+
+This topic helps you evaluate Attack Surface Reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
+
+>[!NOTE]
+>This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. 
+>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
+
+
+## Use the demo tool to see how Attack Surface Reduction works
+
+Use the **ExploitGuard ASR test tool** app to see how Attack Surface Reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
+
+The tool is part of the Windows Defender Exploit Guard evaluation package:
+- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
+
+This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
+
+When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
+
+![](images/asr-test-tool.png)
+
+Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
+
+>[!IMPORTANT]
+>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
+
+**Run a rule using the demo tool:**
+
+1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop). 
+
+2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. 
+
+
+    >[!IMPORTANT]
+    >Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10.
+
+3. Select the rule from the drop-down menu.
+
+4. Select the mode, **Disabled**, **Block**, or **Audit**.
+    1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**.
+
+5. Click **RunScenario**.
+
+The scenario will run, and an output will appear describing the steps taken.
+
+You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer.
+
+>[!TIP]
+>You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules.
+
+
+Choosing the **Mode** will change how the rule functions:
+
+Mode option | Description
+-|-
+Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack Surface Reduction at all.
+Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack Surface Reduction.
+Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack Surface Reduction will work but without impacting how you use the machine.
+
+Block mode will cause a notification to appear on the user's desktop:
+
+![](images/asr-notif.png)
+
+You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
+
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+The following sections describe what each rule does and what the scenarios entail for each rule.
+
+### Rule: Block executable content from email client and webmail
+
+
+This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail.
+
+The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule:
+
+Scenario name | File type | Program
+- | - | -
+Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail
+Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook
+Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook
+Mail Client Script Archive | Script archive files | Microsoft Outlook
+WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail
+WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file)  | Web mail
+WebMail Script Archive | Script archive files  | Web mail
+
+
+### Rule: Block Office applications from creating child processes
+
+>[!NOTE]
+>There is only one scenario to test for this rule.
+
+Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
+
+### Rule: Block Office applications from creating executable content
+
+This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique.
+
+The following scenarios can be individually chosen:
+
+- Random
+    - A scenario will be randomly chosen from this list
+- Extension Block
+    - Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
+
+
+### Rule: Block Office applications from injecting into other processes
+
+
+>[!NOTE]
+>There is only one scenario to test for this rule.
+
+
+Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
+
+
+
+### Rule: Impede JavaScript and VBScript to launch executables
+
+JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
+
+- Random
+    - A scenario will be randomly chosen from this list
+- JScript
+    - JavaScript will not be allowed to launch executable files
+- VBScript
+    - VBScript will not be allowed to launch executable files
+
+
+
+### Rule: Block execution of potentially obfuscated scripts
+
+Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running.
+
+
+- Random
+    - A scenario will be randomly chosen from this list
+- AntiMalwareScanInterface
+    - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
+- OnAccess
+    - Potentially obfuscated scripts will be blocked when an attempt is made to access them
+
+
+## Review Attack Surface Reduction events in Windows Event Viewer
+
+You can also review the Windows event log to see the events there were created when using the tool:
+
+1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+2. On the left panel, under **Actions**, click **Import custom view...**
+
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1122 | Event when rule fires in Audit-mode 
+1121 | Event when rule fires in Block-mode 
+
+
+## Use audit mode to measure impact
+
+You can also enable the Attack Surface Reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
+
+You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
+
+To enable audit mode, use the following PowerShell cmdlet:
+
+```PowerShell
+Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
+```
+
+This enables all Attack Surface Reduction rules in audit mode.
+
+>[!TIP]
+>If you want to fully audit how Attack Surface Reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
+
+
+
+## Customize Attack Surface Reduction
+
+During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
+
+See the [Customize Exploit Protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
+
+
+## Related topics
+- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
new file mode 100644
index 0000000000..3b7019e217
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -0,0 +1,133 @@
+---
+title: See how CFA can help protect files from being changed by malicious apps
+description: Use a custom tool to see how Controlled Folder Access works in Windows 10.
+keywords: controlled folder access, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+# Evaluate Controlled Folder Access
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+Controlled Folder Access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md). 
+
+It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
+
+This topic helps you evaluate Controlled Folder Access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
+
+>[!NOTE]
+>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. 
+>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
+
+
+## Use the demo tool to see how Controlled Folder Access works
+
+Use the **ExploitGuard CFA File Creator** tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders. 
+
+The tool is part of the Windows Defender Exploit Guard evaluation package:
+- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
+
+This tool can be run locally on an individual machine to see the typical behavior of Controlled Folder Access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
+
+You can enable Controlled Folder Access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
+
+
+
+1. Type **powershell** in the Start menu.
+
+2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
+
+3. Enter the following in the PowerShell window to enable Controlled Folder Access:
+    ```PowerShell
+    Set-MpPreference -EnableControlledFolderAccess Enabled
+    ```
+
+4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop).
+ 
+5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. 
+
+6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
+
+    ![](images/cfa-filecreator.png)
+
+7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
+
+    ![](images/cfa-notif.png)
+
+## Review Controlled Folder Access events in Windows Event Viewer
+
+You can also review the Windows event log to see the events there were created when using the tool:
+
+1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+2. On the left panel, under **Actions**, click **Import custom view...**
+
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1124 | Audited Controlled Folder Access event
+1123 | Blocked Controlled Folder Access event
+
+
+## Use audit mode to measure impact
+
+As with other Windows Defender EG features, you can enable the Controlled Folder Access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
+
+You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+
+To enable audit mode, use the following PowerShell cmdlet:
+
+```PowerShell
+Set-MpPreference -EnableControlledFolderAccess AuditMode
+```
+
+>[!TIP]
+>If you want to fully audit how Controlled Folder Access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main  [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
+
+
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+
+
+## Customize protected folders and apps
+
+During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. 
+
+See the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+
+## Related topics
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
new file mode 100644
index 0000000000..94309ec278
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
@@ -0,0 +1,133 @@
+---
+title: See how Exploit Protection works in a demo
+description: See how Exploit Protection can prevent suspicious behaviors from occurring on specific apps.
+keywords: exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Evaluate Exploit Protection
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection. 
+
+This topcs helps you evaluate Exploit Protection. See the [Exploit Protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit Protection does and how to configure it for real-world deployment.
+
+>[!NOTE]
+>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. 
+>For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit Protection topic](exploit-protection-exploit-guard.md) .
+
+
+## Enable and validate an Exploit Protection mitigation
+
+For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
+
+First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Defender Security Center app:
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Set�ProcessMitigation �Name iexplore.exe �Enable DisallowChildProcessCreation
+    ```
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
+
+3.	Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
+
+4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
+
+Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user:
+
+1. Type **run** in the Start menu andp ress **Enter** to open the run dialog box.
+
+2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer.
+
+3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process).
+
+Lastly, we can disable the mitigation so that Internet Explorer works properly again:
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
+
+3.	Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
+
+4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply**
+
+5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
+
+
+## Review Exploit Protection events in Windows Event Viewer
+
+You can now review the events that Exploit Protection sent to the Windows Event log to confirm what happened:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
+
+2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+3. On the left panel, under **Actions**, click **Import custom view...**
+
+4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Exploit Protection, which are all listed in the [Exploit Protection](exploit-protection-exploit-guard.md) topic.
+
+6. The specific event to look for in this demo is event ID 4, which should have the following or similar information:
+
+    Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'. 
+
+
+## Use audit mode to measure impact
+
+As with other Windows Defender EG features, you can enable Exploit Protection in audit mode. You can enable audit mode for individual mitigations.
+
+This lets you see a record of what *would* have happened if you had enabled the mitigation.
+
+You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period.
+
+See the [**PowerShell reference** section in the Customize Exploit Protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
+
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+
+
+## Related topics
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Enable Exploit Protection](enable-exploit-protection.md)
+- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
new file mode 100644
index 0000000000..41d3ca0276
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
@@ -0,0 +1,115 @@
+---
+title: Conduct a demo to see how Network Protection works
+description: Quickly see how Network Protection works by performing common scenarios that it protects against
+keywords: Network Protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+# Evaluate Network Protection
+
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+
+
+
+Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). 
+
+It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+
+This topic helps you evaluate Network Protection by enabling the feature and guiding you to a testing site.
+
+>[!NOTE]
+>The site will replicate the behavior that would happen if a user visted a malicious site or domain. The sites in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious.
+
+## Enable Network Protection
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Set-MpPreference -EnableNetworkProtection Enabled
+    ```
+
+You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`.
+
+### Visit a (fake) malicious domain
+
+1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
+
+1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net).
+
+You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
+
+![](images/np-notif.png)
+ 
+ 
+ ## Review Network Protection events in Windows Event Viewer
+ 
+You can also review the Windows event log to see the events there were created when performing the demo:
+
+1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+2. On the left panel, under **Actions**, click **Import custom view...**
+
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Network Protection:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1125 | Event when rule fires in Audit-mode 
+1126 | Event when rule fires in Block-mode 
+
+
+## Use audit mode to measure impact
+
+You can also enable the Network Protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
+
+You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use.
+
+To enable audit mode, use the following PowerShell cmdlet:
+
+```PowerShell
+Set-MpPreference -EnableNetworkProtection AuditMode
+```
+
+
+>[!TIP]
+>If you want to fully audit how Network Protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network Protection topic](network-protection-exploit-guard.md).
+
+
+
+
+ ## Related topics
+
+- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
new file mode 100644
index 0000000000..7f93a40671
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
@@ -0,0 +1,55 @@
+---
+title: Evaluate the impact of Windows Defender Exploit Guard
+description: Use our evaluation guides to quickly enable and configure features, and test them against common attack scenarios
+keywords: evaluate, guides, evaluation, exploit guard, controlled folder access, attack surface reduction, exploit protection, network protection, test, demo
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Evaluate Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
+
+Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization.
+
+Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisutes are.
+
+
+- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
+- [Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Evaluate Network Protection](evaluate-network-protection.md)
+
+You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
+
+- [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
+
+## Related topics
+
+Topic | Description 
+---|---
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) 
+- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) 
+- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
new file mode 100644
index 0000000000..2e4142e7ae
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -0,0 +1,183 @@
+---
+title: Import custom views to see Windows Defender Exploit Guard events
+description: Use Windows Event Viewer to import individual views for each of the features.
+keywords: event view, exploit guard, audit, review, events
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.date: 08/25/2017
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+
+---
+
+
+# Reduce attack surfaces with Windows Defender Exploit Guard 
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windos Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
+
+Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
+
+This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
+
+## Use custom views to review Windows Defender Exploit Guard features
+
+You can create custom views in the Windows Event Viewer to only see events for specific features and settings.
+
+The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
+
+### Import an existing XML custom view
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
+    -  Controlled Folder Access events custom view: *cfa-events.xml*
+    -  Exploit Protection events custom view: *ep-events.xml*
+    -  Attack Surface Reduction events custom view: *asr-events.xml*
+    -  Network Protection events custom view: *np-events.xml*
+
+1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
+
+3. On the left panel, under **Actions**, click **Import Custom View...**
+
+    ![](images/events-import.gif)
+
+4. Navigate to where you extracted XML file for the custom view you want and select it. 
+
+4. Click **Open**.
+
+5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
+
+
+### Copy the XML directly
+
+
+1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
+
+3. On the left panel, under **Actions**, click **Create Custom View...**
+
+    ![](images/events-create.gif)
+
+4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
+
+5.  Paste the XML code for the feature you want to filter events from into the XML section.
+
+4. Click **OK**. Specify a name for your filter.
+
+5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
+
+
+
+
+
+### XML for Attack Surface Reduction events
+
+```xml
+<QueryList>
+  <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
+   <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
+   <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
+  </Query>
+</QueryList>
+```
+
+### XML for Controlled Folder Access events
+
+```xml
+<QueryList>
+  <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
+   <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
+   <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
+  </Query>
+</QueryList>
+```
+
+### XML for Exploit Protection events
+
+```xml
+<QueryList>
+  <Query Id="0" Path="Microsoft-Windows-Security-Mitigations/KernelMode">
+   <Select Path="Microsoft-Windows-Security-Mitigations/KernelMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Concurrency">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Contention">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Messages">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Operational">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Power">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Render">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Tracing">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/UIPI">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Security-Mitigations/UserMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+  </Query>
+</QueryList>
+```
+
+### XML for Network Protection events
+
+```xml
+<QueryList>
+ <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
+  <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
+  <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
+ </Query>
+</QueryList>
+
+```
+
+
+
+## List of all Windows Defender Exploit Guard events
+
+
+All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
+
+Feature | Provider/source | Event ID | Description
+:-|:-|:-:|:-
+Exploit Protection | Security-Mitigations | 1 | ACG audit
+Exploit Protection | Security-Mitigations | 2 | ACG enforce
+Exploit Protection | Security-Mitigations | 3 | Do not allow child processes audit
+Exploit Protection | Security-Mitigations | 4 | Do not allow child processes block
+Exploit Protection | Security-Mitigations | 5 | Block low integrity images audit
+Exploit Protection | Security-Mitigations | 6 | Block low integrity images block
+Exploit Protection | Security-Mitigations | 7 | Block remote images audit
+Exploit Protection | Security-Mitigations | 8 | Block remote images block
+Exploit Protection | Security-Mitigations | 9 | Disable win32k system calls audit
+Exploit Protection | Security-Mitigations | 10 | Disable win32k system calls block
+Exploit Protection | Security-Mitigations | 11 | Code integrity guard audit
+Exploit Protection | Security-Mitigations | 12 | Code integrity guard block
+Exploit Protection | Security-Mitigations | 13 | EAF audit
+Exploit Protection | Security-Mitigations | 14 | EAF enforce
+Exploit Protection | Security-Mitigations | 15 | EAF+ audit
+Exploit Protection | Security-Mitigations | 16 | EAF+ enforce
+Exploit Protection | Security-Mitigations | 17 | IAF audit
+Exploit Protection | Security-Mitigations | 18 | IAF enforce
+Exploit Protection | Security-Mitigations | 19 | ROP StackPivot audit
+Exploit Protection | Security-Mitigations | 20 | ROP StackPivot enforce
+Exploit Protection | Security-Mitigations | 21 | ROP CallerCheck audit
+Exploit Protection | Security-Mitigations | 22 | ROP CallerCheck enforce
+Exploit Protection | Security-Mitigations | 23 | ROP SimExec audit
+Exploit Protection | Security-Mitigations | 24 | ROP SimExec enforce
+Exploit Protection | WER-Diagnostics | 5 | CFG Block
+Exploit Protection | Win32K | 260 | Untrusted Font
+Network Protection | Windows Defender | 5007 | Event when settings are changed
+Network Protection | Windows Defender | 1125 | Event when Network Protection fires in Audit-mode 
+Network Protection | Windows Defender | 1126 | Event when Network Protection fires in Block-mode 
+Controlled Folder Access | Windows Defender | 5007 | Event when settings are changed
+Controlled Folder Access | Windows Defender | 1124 | Audited Controlled Folder Access event
+Controlled Folder Access | Windows Defender | 1123 | Blocked Controlled Folder Access event
+Attack Surface Reduction | Windows Defender | 5007 | Event when settings are changed
+Attack Surface Reduction | Windows Defender | 1122 | Event when rule fires in Audit-mode 
+Attack Surface Reduction | Windows Defender | 1121 | Event when rule fires in Block-mode 
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
new file mode 100644
index 0000000000..cc5ba5334b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -0,0 +1,125 @@
+---
+title: Apply mitigations to help prevent attacks through vulnerabilities
+keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
+description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Protect devices from exploits with Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+
+Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. 
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+Exploit Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+
+ You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
+
+ When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+
+  You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit Protection would impact your organization if it were enabled.
+
+ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection.
+
+ >[!IMPORTANT]
+ >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit Protection in Windows 10. You can [convert an existing EMET configuration file into Exploit Protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+
+ 
+
+## Requirements
+
+The following requirements must be met before Exploit Protection will work:
+
+Windows 10 version | Windows Defender Advanced Threat Protection
+-|-
+Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
+
+
+ ## Review Exploit Protection events in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when Exploit Protection blocks (or audits) an app:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
+
+2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+3. On the left panel, under **Actions**, click **Import custom view...**
+
+    ![](images/events-import.gif)
+
+4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+5. Click **OK**.
+
+6. This will create a custom view that filters to only show the following events related to Exploit Protection:
+
+Provider/source | Event ID | Description
+-|:-:|-
+Security-Mitigations | 1 | ACG audit
+Security-Mitigations | 2 | ACG enforce
+Security-Mitigations | 3 | Do not allow child processes audit
+Security-Mitigations | 4 | Do not allow child processes block
+Security-Mitigations | 5 | Block low integrity images audit
+Security-Mitigations | 6 | Block low integrity images block
+Security-Mitigations | 7 | Block remote images audit
+Security-Mitigations | 8 | Block remote images block
+Security-Mitigations | 9 | Disable win32k system calls audit
+Security-Mitigations | 10 | Disable win32k system calls block
+Security-Mitigations | 11 | Code integrity guard audit
+Security-Mitigations | 12 | Code integrity guard block
+Security-Mitigations | 13 | EAF audit
+Security-Mitigations | 14 | EAF enforce
+Security-Mitigations | 15 | EAF+ audit
+Security-Mitigations | 16 | EAF+ enforce
+Security-Mitigations | 17 | IAF audit
+Security-Mitigations | 18 | IAF enforce
+Security-Mitigations | 19 | ROP StackPivot audit
+Security-Mitigations | 20 | ROP StackPivot enforce
+Security-Mitigations | 21 | ROP CallerCheck audit
+Security-Mitigations | 22 | ROP CallerCheck enforce
+Security-Mitigations | 23 | ROP SimExec audit
+Security-Mitigations | 24 | ROP SimExec enforce
+WER-Diagnostics | 5 | CFG Block
+Win32K | 260 | Untrusted Font
+
+
+ ## In this section
+
+Topic | Description 
+---|---
+[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit Protection. This topic identifies those features and explains how the features have changed or evolved.
+[Evaluate Exploit Protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit Protection mitigations can protect your network from malicious and suspicious behavior.
+[Enable Exploit Protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit Protection in your network. 
+[Customize and configure Exploit Protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps.
+[Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit Protection.
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png b/windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png
new file mode 100644
index 0000000000..2f8eb02556
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png b/windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png
new file mode 100644
index 0000000000..fa6285cb56
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png b/windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png
new file mode 100644
index 0000000000..569ee7a256
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png
new file mode 100644
index 0000000000..f93dbe34e3
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png
new file mode 100644
index 0000000000..6b078ec9d5
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png
new file mode 100644
index 0000000000..88cd35c6ce
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png
new file mode 100644
index 0000000000..89abf15424
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png
new file mode 100644
index 0000000000..96e6874361
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png
new file mode 100644
index 0000000000..d8f0ccffab
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png
new file mode 100644
index 0000000000..62ca8c3021
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-on.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-on.png
new file mode 100644
index 0000000000..7441a54834
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-on.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png
new file mode 100644
index 0000000000..a61b54a696
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/ep-prog.png b/windows/threat-protection/windows-defender-exploit-guard/images/ep-prog.png
new file mode 100644
index 0000000000..d36cdd8498
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/ep-prog.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png b/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png
new file mode 100644
index 0000000000..96d12d3af1
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/events-create.gif b/windows/threat-protection/windows-defender-exploit-guard/images/events-create.gif
new file mode 100644
index 0000000000..68f057de3a
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/events-create.gif differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/events-import.gif b/windows/threat-protection/windows-defender-exploit-guard/images/events-import.gif
new file mode 100644
index 0000000000..55e77c546f
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/events-import.gif differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png b/windows/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png
new file mode 100644
index 0000000000..d7b921aa69
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/np-notif.png b/windows/threat-protection/windows-defender-exploit-guard/images/np-notif.png
new file mode 100644
index 0000000000..69eb1bbeee
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/np-notif.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png
new file mode 100644
index 0000000000..01801a519d
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png
new file mode 100644
index 0000000000..38404d7569
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png
new file mode 100644
index 0000000000..3289ace8cf
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png
new file mode 100644
index 0000000000..53edeb6135
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
new file mode 100644
index 0000000000..5bc0f3e22b
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
new file mode 100644
index 0000000000..c864cb9ed7
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
@@ -0,0 +1,172 @@
+---
+title: Deploy Exploit Protection mitigations across your organization
+keywords: exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
+description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit Protection configuration.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Import, export, and deploy Exploit Protection configurations
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+
+
+Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in Exploit Protection. 
+
+You use the Windows Defender Security Center or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
+
+You can also convert and import an existing EMET configuration XML file into an Exploit Protection configuration XML.
+
+This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
+
+The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into Exploit Protection and then review the settings in the Windows Defender Security Center app, as described further in this topic.
+
+
+
+## Create and export a configuration file
+
+Before you export a configuration file, you need to ensure you have the correct settings.
+
+You should first configure Exploit Protection on a single, dedicated machine. See the [Customize Exploit Protection](customize-exploit-protection.md) topic for descriptions about and instrucitons for configuring mitigations.
+
+When you have configured Exploit Protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell.
+
+### Use the Windows Defender Security Center app to export a configuration file
+
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
+
+    ![](images/wdsc-exp-prot.png)
+        
+3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
+
+
+    ![](images/wdsc-exp-prot-export.png)
+
+>[!NOTE]
+>When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
+
+
+### Use PowerShell to export a configuration file
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Get-ProcessMitigation -RegistryConfigFilePath filename.xml 
+    ```
+
+Change `filename` to any name or location of your choosing.
+
+> [!IMPORTANT]
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. 
+
+
+## Import a configuration file
+
+You can import an Exploit Protection configuration file that you've previously created. You can only use PowerShell to import the configuration file.
+
+After importing, the settings will be instantly applied and can be reviewed in the Windows Defender Security Center app.
+
+### Use PowerShell to import a configuration file
+
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Set-ProcessMitigation -RegistryConfigFilePath filename.xml 
+    ```
+
+Change `filename` to the location and name of the Exploit Protection XML file.
+
+>[!IMPORTANT]
+>Ensure you import a configuration file that is created specifically for Exploit Protection. You cannot directly import an EMET configuration file, you must convert it first.
+
+
+## Convert an EMET configuration file to an Exploit Protection configuration file
+
+You can convert an existing EMET configuration file to the new format used by Exploit Protection. You must do this if you want to import an EMET configuration into Exploit Protection in Windows 10.
+
+You can only do this conversion in PowerShell.
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
+    ```
+
+Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
+
+
+## Manage or deploy a configuration
+
+You can use Group Policy to deploy the configuration you've created to multiple machines in your network.
+
+> [!IMPORTANT]
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location. 
+
+### Use Group Policy to distribute the configuration
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit Protection**.
+
+    ![](images/exp-prot-gp.png)
+
+6. Double-click the **Use a common set of exploit protection settings** setting and set the option to **Enabled**. 
+
+7. In the **Options::** section, enter the location and filename of the Exploit Protection configuration file that you want to use, such as in the following examples:
+    - C:\MitigationSettings\Config.XML
+    -  \\Server\Share\Config.xml
+    -  https://localhost:8080/Config.xml
+
+8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). 
+
+
+## Related topics
+
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Enable Exploit Protection](enable-exploit-protection.md)
+- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
diff --git a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
new file mode 100644
index 0000000000..2f1e023d45
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -0,0 +1,95 @@
+---
+title: Use Network Protection to help prevent connections to bad sites
+description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
+keywords: Network Protection, exploits, malicious website, ip, domain, domains
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Protect your network with Windows Defender Exploit Guard
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. 
+
+It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outboud HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+Network Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+
+When Network Protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+
+You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network Protection would impact your organization if it were enabled.
+
+
+
+## Requirements
+
+The following requirements must be met before Network Protection will work:
+
+Windows 10 version | Windows Defender Antivirus
+- | -
+Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
+
+
+## Review Network Protection events in Windows Event Viewer
+
+
+You can review the Windows event log to see events that are created when Network Protection blocks (or audits) access to a malicious IP or domain:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine.
+
+1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+2. On the left panel, under **Actions**, click **Import custom view...**
+
+    ![](images/events-import.gif)
+
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Network Protection:
+
+ Event ID | Description
+-|-
+5007 | Event when settings are changed
+1125 | Event when Network Protection fires in Audit-mode 
+1126 | Event when Network Protection fires in Block-mode 
+
+
+
+
+ ## In this section
+
+Topic | Description 
+---|---
+[Evaluate Network Protection](evaluate-network-protection.md) | Undertake aa quick scenario that demonstrate how the feature works, and what events would typically be created.
+[Enable Network Protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network Protection feature in your network.
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/prerelease.md b/windows/threat-protection/windows-defender-exploit-guard/prerelease.md
new file mode 100644
index 0000000000..1164534c8a
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/prerelease.md
@@ -0,0 +1,2 @@
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
new file mode 100644
index 0000000000..3df7e0ace2
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -0,0 +1,79 @@
+---
+title: Use Windows Defender Exploit Guard to protect your network
+description: Windows Defender EG employs features that help protect your network from threats, including helping prevent ransomware encryption and exploit attacks
+keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
+
+There are four features in Windows Defender EG:
+
+- [Exploit Protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
+- [Attack Surface Reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-,  script- and mail-based malware 
+- [Network Protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's devices
+- [Controlled Folder Access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware
+
+
+You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+
+
+You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for the features, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
+
+Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes:
+- [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
+- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+- [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
+- Windows Defender Device Guard
+- [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md)
+
+You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+
+Each of the features in Windows Defender EG have slightly different requirements:
+
+Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | [Windows Defender Advanced Threat Protection license](../windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md) 
+-|-|-|-
+Exploit Protection | No requirement | Required for reporting in the Windows Defender ATP console
+Attack Surface Reduction | Must be enabled | Required for reporting in the Windows Defender ATP console
+Network Protection | Must be enabled | Required for reporting in the Windows Defender ATP console
+Controlled Folder Access | Must be enabled | Required for reporting in the Windows Defender ATP console
+
+> [!NOTE]
+> Each feature's requirements are further described in the individual topics in this library.
+
+
+ ## In this library
+
+Topic | Description 
+---|---
+[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent  threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. 
+[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.   
+[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
+[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. 
+
+
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png b/windows/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png
new file mode 100644
index 0000000000..ea5b039dd9
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png b/windows/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png
new file mode 100644
index 0000000000..363648cbc0
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index f8376c934c..00470f7842 100644
--- a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 
@@ -108,6 +110,43 @@ See the following links for more information on the features in the Windows Defe
 - Family options, which include a number of parental controls along with tips and information for keeping kids safe online
     - Home users can learn more at the [Help protection your family online in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
 
+## Customize notifications from the Windows Defender Security Center
+
+You can customize notifcations so they show information to users about how to get more help from your organization's help desk.
+
+![](images/security-center-custom-notif.png)
+
+This information will also appear as a pop-out window on the Windows Defender Security Center app.
+
+![](images/security-center-custom-flyout.png)
+
+Users can click on the displayed information to get more help:
+- Clicking **Call** or the phone number will open Skype to start a call to the displayed number
+- Clicking **Email** or the email address will create a new email in the machine's default email app address to the displayed email
+- Clicking **Help portal** or the website URL will open the machine's default web browser and go to the displayed address
+
+
+### Use Group Policy to customize the notification
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Security Center > Enterprise Customization**.
+
+6. Open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
+
+7. Open the **Specify contact company name** setting and set it to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
+
+8. To ensure the custom notification appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**:
+    1. Specify contact email address of Email ID
+    2. Specify contact phone number or Skype ID
+    3. Specify contact website
+
+9. Click **OK** after configuring each setting to save your changes. 
+
 
 
 >[!NOTE]
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index 506e512699..957fc1f33b 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
index 9b1db90c72..9f850fbb1d 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows Defender SmartScreen
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
index e611009fcf..45117e0ad1 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up and use Windows Defender SmartScreen on individual devices
diff --git a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
index 6f41240d2b..5e1df99718 100644
--- a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.pagetype: security
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
index 9316b2ab60..2b6985d243 100644
--- a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # How to collect Windows Information Protection (WIP) audit event logs
diff --git a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 76d9d3a63c..50bf85a578 100644
--- a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 15e17ff463..e4edc3e586 100644
--- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
index 043f638474..7b54968b51 100644
--- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 5726426cf1..6f9d99a876 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune
@@ -364,7 +364,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
 ### Define your enterprise-managed corporate identity
 Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
 
-Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the Corporate identity field. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field.
 
 **To change your corporate identity**
 
@@ -372,7 +372,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
 
     The **Required settings** blade appears.
 
-2.	If the identity isn’t correct, or if you need to add additional domains, type info into the **Corporate identity** field. For example, `contoso.com|newcontoso.com`.
+2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area.
 
     ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
 
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
index cbdd0a70de..2f74bae405 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -1,5 +1,5 @@
 ---
-title: Create a Windows Information Protection (WIP) with enrollment policy using the classic console for Microsoft Intune (Windows 10)
+title: Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune (Windows 10)
 description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
 ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
 ms.prod: w10
@@ -7,10 +7,10 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
-# Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune
+# Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
 
 **Applies to:**
 
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
index d8a879c4d2..25be0c5cdc 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@@ -342,14 +342,14 @@ If you're running into compatibility issues where your app is incompatible with
 ### Manage the WIP-protection level for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
 
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
+We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**.
 
 >[!NOTE]
 >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
 
 |Mode |Description |
 |-----|------------|
-|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
 |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
 |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
 |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index 60eb44c676..b953181936 100644
--- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
index a3b19da3c4..1cdad28951 100644
--- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 159440b9aa..3694e13ba8 100644
--- a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
index af85cdebaf..73eddd870d 100644
--- a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # General guidance and best practices for Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
index 1481a21f0d..c2274ee1e8 100644
Binary files a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png and b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
index 4bbd91028f..a1e3ed0c57 100644
Binary files a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png and b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png differ
diff --git a/windows/threat-protection/windows-information-protection/limitations-with-wip.md b/windows/threat-protection/windows-information-protection/limitations-with-wip.md
index 18971e3fe1..67b6897a16 100644
--- a/windows/threat-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/limitations-with-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Limitations while using Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
index dfd5630dc2..d810066027 100644
--- a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
index caf17860ce..428c25c20d 100644
--- a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create a Windows Information Protection (WIP) policy
diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 19071542aa..934aa9ae7c 100644
--- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Protect your enterprise data using Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index f07d6ab555..418c24c0ef 100644
--- a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
index a46e4231ad..0c5aff23c1 100644
--- a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Testing scenarios for Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
index d60d0bf4ad..e2aacd97c4 100644
--- a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Using Outlook on the web with Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
index c3c1f07f56..fbf77802f5 100644
--- a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
index c963eb975e..460964a3ed 100644
--- a/windows/whats-new/contribute-to-a-topic.md
+++ b/windows/whats-new/contribute-to-a-topic.md
@@ -31,7 +31,7 @@ If you've previously contributed to topics in the Microsoft repositories, congra
     ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png)
 
 5.	Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
-    - **If you're linked to the Microsoft organization in GitHub:** [Windows Open Publishing Guide Home](http://aka.ms/windows-op-guide)
+    - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
     
     - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) 
 
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index e0bd472d86..8f5712038b 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -5,7 +5,7 @@ ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
 keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic"]
 ms.prod: w10
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # What's new in Windows 10
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index 09d1e54940..bfb93ebeb4 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # What's new in Windows 10, versions 1507 and 1511
@@ -201,7 +201,7 @@ Event ID 6416 has been added to track when an external device is detected throug
 The following sections describe the new and changed functionality in the TPM for Windows 10:
 -   [Device health attestation](#bkmk-dha)
 -   [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support
--   [Device Guard](/windows/access-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
+-   [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
 -   [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support
 
 ### <a href="" id="bkmk-dha"></a>Device health attestation
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 07612029c5..982900b337 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # What's new in Windows 10, version 1607
@@ -31,13 +31,13 @@ Windows ICD now includes simplified workflows for creating provisioning packages
 
 [Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
 
-### Windows Upgrade Analytics
+### Windows Upgrade Readiness
 
-Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. 
+Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. 
 
-With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
 
-Use Upgrade Analytics to get:
+Use Upgrade Readiness to get:
 
 - A visual workflow that guides you from pilot to production
 - Detailed computer and application inventory
@@ -47,9 +47,9 @@ Use Upgrade Analytics to get:
 - Application usage information, allowing targeted validation; workflow to track validation progress and decisions
 - Data export to commonly used software deployment tools
 
-The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
+The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
 
-[Learn more about planning and managing Windows upgrades with Windows Upgrade Analytics.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-analytics)
+[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
 
 ## Windows updates
 
@@ -102,7 +102,7 @@ Several new features and management options have been added to Windows Defender
 
 - [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
 - [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans.
-- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-block-at-first-sight) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
 - [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more informaiton about threat detections and removal.
 - [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus).
 - [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times.
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index f819d4326c..f9ecc8bc12 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -1,12 +1,12 @@
 ---
-title: What's in Windows 10, version 1703
+title: What's new in Windows 10, version 1703
 description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated).
 keywords: ["What's new in Windows 10", "Windows 10", "creators update"]
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: JasonGerend
-localizationpriority: high
+ms.localizationpriority: high
 ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
 ---
 
@@ -151,7 +151,7 @@ You can read more about ransomware mitigations and detection capability in Windo
 ### Device Guard and Credential Guard
 
 Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime.
-For more information, see [Device Guard Requirements](/windows/access-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard) and [Credential Guard Security Considerations](/windows/access-protection/credential-guard//credential-guard-requirements#security-considerations).
+For more information, see [Device Guard Requirements](/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard) and [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
 
 ### Group Policy Security Options
 
@@ -171,9 +171,9 @@ For Windows desktops, users are able to reset a forgotten PIN through **Settings
 For more details, check out [What if I forget my PIN?](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password#what-if-i-forget-my-pin).
 
 ### Windows Information Protection (WIP) and Azure Active Directory (Azure AD)
-Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md).
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
 
-You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md).
+You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
 
 ## Update
 
@@ -295,6 +295,37 @@ Windows 10 Mobile, version 1703 also includes the following enhancements:
    - Set Ethernet port properties
    - Set proxy properties for the Ethernet port
 
+## Miracast on existing wireless network or LAN
+
+In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
+
+Miracast over Infrastructure offers a number of benefits:
+
+- Windows automatically detects when sending the video stream over this path is applicable.
+- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
+- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
+- No changes to current wireless drivers or PC hardware are required.
+- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
+- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
+
+
+### How it works
+
+Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+
+### Enabling Miracast over Infrastructure 
+
+If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+
+- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703.
+- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
+    - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+    - As a Miracast source, the  PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. 
+- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.  
+
+It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
+
 ## New features in related products
 The following new features aren't part of Windows 10, but help you make the most of it.