Merge remote-tracking branch 'refs/remotes/origin/rs3' into jd3sb

.openpublishing.redirection.json

@@ -227,7 +227,12 @@
 },
 {
 "source_path": "windows/manage/set-up-a-device-for-anyone-to-use.md",
-"redirect_url": "/windows/configuration/set-up-a-device-for-anyone-to-use",
+"redirect_url": "/windows/configuration/kiosk-shared-pc",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/configuration/set-up-a-device-for-anyone-to-use.md",
+"redirect_url": "/windows/configuration/kiosk-shared-pc",
 "redirect_document_id": true
 },
 {

devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md

@@ -114,6 +114,7 @@ Use this procedure if you use Exchange on-prem.
 
 Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-prem](#skype-for-business-on-prem), or [Skype for Business hybrid](#skype-for-business-hybrid).
 
+<span id="sfb-online"/>
 ### Skype for Business Online
 
 To enable Skype for Business online, your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required). The following table explains which plans or additional services you need.
@@ -309,18 +310,10 @@ Use this procedure if you use Exchange online.
 
 Next, you enable the device account with [Skype for Business Online](#sfb-online), [Skype for Business on-prem](#sfb-onprem), or [Skype for Business hybrid](#sfb-hybrid).
 
-<span id="sfb-online"/>
+
 ### Skype for Business Online    
     
-In order to enable Skype for Business, your environment will need to meet the following prerequisites:
+In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](#sfb-online).
-
-- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
-    
-- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
-    
-- Your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required).
-    
-- Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
 
 1. Start by creating a remote PowerShell session to the Skype for Business online environment from a PC.
 

devices/surface-hub/online-deployment-surface-hub-device-accounts.md

@@ -83,10 +83,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
     ```
 
-7.  Surface Hub requires a license for Skype for Business functionality.
+7.  Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online).
-    - Your Surface Hub account requires a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
-    - You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
-    - If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).    
    
     Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
 

devices/surface-hub/surface-hub-authenticator-app.md

@@ -24,7 +24,7 @@ To let people in your organization sign in to Surface Hub with their phones and
 
 - Make sure you have at minimum an Office 365 E3 subscription. 
 
-- [Configure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication). Select **Allow users to create app passwords to sign in to non-browser apps**, and make sure **Notification through mobile app** is selected. 
+- [Configure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication). Make sure **Notification through mobile app** is selected. 
 
     ![multi-factor authentication options](images/mfa-options.png)
 
@@ -42,6 +42,8 @@ Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs tha
 
 - The most recent version of the Microsoft Authenticator app from the appropriate app store 
     >[!NOTE]
+    >On iOS, the app version must be 5.4.0 or higher.
+    >
     >The Microsoft Authenticator app on phones running a Windows operating system can't be used to sign in to Surface Hub.
     
 - Passcode or screen lock on your device is enabled
@@ -53,11 +55,15 @@ Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs tha
 
 >[!NOTE]
 >If Company Portal is installed on your Android device, uninstall it before you set up Microsoft Authenticator. After you set up the app, you can reinstall Company Portal.
+>
+>If you have already set up Microsoft Authenticator on your phone and registered your device, go to the [sign-in instructions](#signin).
 
 1. Add your work or school account to Microsoft Authenticator for Multi-Factor Authentication. You will need a QR code provided by your IT department. For help, see [Get started with the Microsoft Authenticator app](https://docs.microsoft.com/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to).
 2. Go to **Settings** and register your device.
 1. Return to the accounts page and choose **Enable phone sign-in** from the account dropdown menu.
 
+
+<span id="signin" />
 ## How to sign in to Surface Hub during a meeting
 
 1. After you’ve set up a meeting, go to the Surface Hub and select **Sign in to see your meetings and files**.

education/get-started/TOC.md

@@ -1,7 +1,6 @@
 # [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
 ## [Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
 ## [Use School Data Sync to import student data](use-school-data-sync.md)
-## [Enable Microsoft Teams for your school](enable-microsoft-teams.md)
 ## [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
 ## [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
 ## [Set up Windows 10 education devices](set-up-windows-10-education-devices.md)

education/get-started/configure-microsoft-store-for-education.md

@@ -15,6 +15,10 @@ ms.date: 07/10/2017
 
 # Configure Microsoft Store for Education
 
+> [!div class="step-by-step"]
+[<< Use School Data Sync to import student data](use-school-data-sync.md)
+[Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)
+
 You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
 
 You can watch the video to see how this is done, or follow the step-by-step guide. </br>
@@ -58,7 +62,7 @@ Your Microsoft Store for Education account is now linked to Intune for Education
 -->
 
 > [!div class="step-by-step"]
-[<< Enable Microsoft Teams for your school](enable-microsoft-teams.md)
+[<< Use School Data Sync to import student data](use-school-data-sync.md)
 [Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)
 
 

education/get-started/finish-setup-and-other-tasks.md

@@ -14,6 +14,10 @@ ms.date: 07/10/2017
 ---
 
 # Finish Windows 10 device setup and other tasks
+
+> [!div class="step-by-step"]
+[<< Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
+
 Once you've set up your Windows 10 education device, it's worth checking to verify the following:
 
 > [!div class="checklist"]
@@ -70,6 +74,7 @@ You can follow the rest of the walkthrough to finish setup and complete other ta
 > * Update group settings in Intune for Education
 > * Configure Azure settings
 > * Complete Office 365 for Education setup
+> * Enable Microsoft teams for your school
 > * Add more users
 > * Connect other devices, like BYOD devices, to your cloud infrastructure
 
@@ -136,6 +141,38 @@ Follow the steps in this section to ensure that settings for the each user follo
 ## Complete Office 365 for Education setup
 Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/en-US/Article/set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
 
+## Enable Microsoft Teams for your school
+Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education. 
+
+To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school. 
+
+**To enable Microsoft Teams for your school**
+
+1. Sign in to <a href="https://portal.office.com" target="_blank">Office 365</a> with your work or school account.
+2. Click **Admin** to go to the Office 365 admin center.
+3. Go to **Settings > Services & add-ins**.
+4. On the **Services & add-ins** page, select **Microsoft Teams**.
+
+  **Figure 1** - Select Microsoft Teams from the list of services & add-ins
+
+  ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
+
+5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. Select **Faculty and Staff**.
+
+  **Figure 2** - Select the license that you want to configure
+
+  ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
+
+6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
+
+  **Figure 3** - Turn on Microsoft Teams for your organization
+
+  ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
+
+7. Click **Save**.
+
+You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
+
 ## Add more users
 After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
 
@@ -174,5 +211,9 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
   It may take several minutes before the new device shows up so check again later.
 
 
+> [!div class="step-by-step"]
+[<< Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
+
+  
 ## Related topic
 [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)

education/get-started/get-started-with-microsoft-education.md

@@ -10,7 +10,7 @@ ms.localizationpriority: high
 ms.pagetype: edu
 author: CelesteDG
 ms.author: celested
-ms.date: 07/10/2017
+ms.date: 08/29/2017
 ---
 
 # Get started: Deploy and manage a full cloud IT solution with Microsoft Education
@@ -43,21 +43,20 @@ With Microsoft Education, schools can:
 Go to the <a href="https://www.microsoft.com/en-us/education" target="_blank">Microsoft Education site</a> to learn more. See <a href="https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools" target="_blank">How to buy</a> to learn about pricing and purchasing options for schools, students, and teachers as well as academic pricing and offers for qualified K-12 and higher education institutions.
 
 ## What we're doing
-In this walkthrough, we'll show you the basics on how to:
+The end-to-end process for deploying and managing a full cloud IT solution with Microsoft Education is outlined here. Depending on your [setup scenario](#setup-options), you may not need to implement all these steps. 
-> [!div class="checklist"]
-> * Acquire an Office 365 for Education tenant, if you don't already have one
-> * Import school, student, teacher, and class data using School Data Sync (SDS)
-> * Deploy Microsoft Teams to enable groups and teams in your school to communicate and collaborate
-> * Manage apps and settings deployment with Intune for Education
-> * Acquire additional apps in Microsoft Store for Education
-> * Use the Set up School PCs app to quickly set up and provision your Windows 10 education devices
-> * Log in and use the devices
 
-This diagram shows a high-level view of what we cover in this walkthrough. The numbers correspond to the sections in the walkthrough and roughly correspond to the flow of the overall process; but, note that not all sections in this walkthrough are shown in the diagram.
+Click the link to watch the video or follow the step-by-step guidance for each.
+
+1. [Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
+2. [Use School Data Sync to import student data](use-school-data-sync.md)
+3. [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+4. [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+5. [Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
+6. [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md)
 
 **Figure 1** - Microsoft Education IT administrator workflow
 
-![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft_education_it_getstarted_workflow.png)
+![Deploy and manage a full cloud IT solution using Microsoft Education](images/MSES_Get_Started_IT_082917.png)
 
 ## Prerequisites
 Complete these tasks before you start the walkthrough:
@@ -130,19 +129,6 @@ Already have an Office 365 for Education verified tenant? Just sign in with your
 3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant.
 4. If you don't already have Microsoft Teams deployed to your tenant, you can start with [Enable Microsoft Teams for your school](enable-microsoft-teams.md) and then follow the rest of the instructions in this walkthrough. 
 
-## End-to-end process
-The end-to-end process for deploying and managing a full cloud IT solution with Microsoft Education is outlined here. Depending on scenario, you may not need to implement all these steps. 
-
-Click the link to watch the video or follow the step-by-step guidance for each.
-
-1. [Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
-2. [Use School Data Sync to import student data](use-school-data-sync.md)
-3. [Enable Microsoft Teams for your school](enable-microsoft-teams.md)
-4. [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
-5. [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
-6. [Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
-7. [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md)
-
 ## Get more info
 
 ### Microsoft Education documentation and resources hub

education/get-started/set-up-office365-edu-tenant.md

@@ -15,6 +15,10 @@ ms.date: 07/10/2017
 
 # Set up an Office 365 Education tenant
 
+> [!div class="step-by-step"]
+[<< Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
+[Use School Data Sync to import student data >>](use-school-data-sync.md)
+
 Schools can use Office 365 to save time and be more productive. Built with powerful tools and accessible from any device, setting it up is the first step in getting your school to the cloud. 
 
 Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans). </br>

education/get-started/set-up-windows-10-education-devices.md

@@ -15,6 +15,10 @@ ms.date: 07/10/2017
 
 # Set up Windows 10 education devices
 
+> [!div class="step-by-step"]
+[<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+[Finish setup and other tasks >>](finish-setup-and-other-tasks.md)
+
 We recommend using the latest build of Windows 10, version 1703 on your education devices. 
 
 To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options and follow the link to watch the video or follow the step-by-step guide:

education/get-started/use-intune-for-education.md

@@ -15,6 +15,10 @@ ms.date: 07/10/2017
 
 # Use Intune for Education to manage groups, apps, and settings
 
+> [!div class="step-by-step"]
+[<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+[Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
+
 Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the <a href="https://docs.microsoft.com/intune-education" target="_blank">Intune for Education documentation</a>. 
 
 ## Example - Set up Intune for Education, buy apps from the Store, and install the apps

education/get-started/use-school-data-sync.md

@@ -15,6 +15,10 @@ ms.date: 07/10/2017
 
 # Use School Data Sync to import student data
 
+> [!div class="step-by-step"]
+[<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
+[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
+
 School Data Sync (SDS) helps you import Student Information System (SIS) data into Office 365. It helps automate the process for importing and integrating SIS data that you can use with Office 365 and apps like OneNote Class Notebooks. 
 
 Follow all the steps in this section to use SDS and sample CSV files in a trial environment. To use SDS in a production environment, see step 2 in [Try out Microsoft Education in a production environment](https://docs.microsoft.com/en-us/education/get-started/get-started-with-microsoft-education#setup-options) instead.
@@ -177,7 +181,7 @@ That's it for importing sample school data using SDS.
 
 > [!div class="step-by-step"]
 [<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
-[Enable Microsoft Teams for your school >>](enable-microsoft-teams.md)
+[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
 
 ## Related topic
 [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)

education/windows/configure-windows-for-education.md

@@ -26,7 +26,7 @@ In Windows 10, version 1703 (Creators Update), it is straightforward to configur
 
 | Area | How to configure | What this does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | 
 | --- | --- | --- | --- | --- | --- |
-| **Diagnostic Data** | **SetEduPolicies** | Sets Diagnostic Data to [Basic](https://technet.microsoft.com/itpro/windows/configure/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set |
+| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set |
 | **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set |
 | **Cortana** | **AllowCortana** | Disables Cortana </br></br> * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
 | **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set |

education/windows/test-windows10s-for-edu.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
-ms.date: 08/07/2017
+ms.date: 08/30/2017
 ---
 
 # Test Windows 10 S on existing Windows 10 education devices
@@ -77,32 +77,22 @@ Make sure all drivers are installed and working properly on your device running
 
 Check with your device manufacturer before trying Windows 10 S on your device to see if the drivers are available and supported by the device manufacturer. 
 
-<!--
 |   |   |   |
 | - | - | - |
-| [Acer](https://www.acer.com/ac/en/US/content/windows10s-compatible-list) | [American Future Tech](https://www.ibuypower.com/Support/Support) | [Asus](https://www.asus.com/event/2017/win10S/) |
+| <a href="https://www.acer.com/ac/en/US/content/windows10s-compatible-list" target="_blank">Acer</a> | <a href="http://www.51cube.com/ch/win10s-help.php" target="_blank">Alldocube</a> | <a href="https://www.ibuypower.com/site/computer/windows-10-s" target="_blank">American Future Tech</a> | 
-| [Atec](http://www.atec.kr/contents/ms_info.html) | [Axdia](https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html) | [Casper](http://www.casper.com.tr/window10sdestegi) |
+| <a href="http://www.prestigio.com/support/compatibility-with-windows-10-s/" target="_blank">ASBISC</a> | <a href="https://www.asus.com/event/2017/win10S/" target="_blank">Asus</a> | <a href="http://www.atec.kr/contents/ms_info.html" target="_blank">Atec</a> | 
-| [Cyberpower](https://www.cyberpowerpc.com/support/) | [Daewoo](http://www.lucoms.com/v2/cs/cs_windows10.asp) | [Fujitsu](http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update) |
+| <a href="https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html" target="_blank">Axdia</a> | <a href="http://www.casper.com.tr/window10sdestegi" target="_blank">Casper</a> | <a href="https://www.cyberpowerpc.com/page/Windows-10-S/" target="_blank">Cyberpower</a> | 
-| [Global K](http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html) | [HP](https://support.hp.com/us-en/document/c05588871) | [LANIT Trading](http://irbis-digital.ru/support/podderzhka-windows-10-s/) |
+| <a href="http://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="http://www.daten.com.br/suportes/windows10s/" target="_blank">Daten</a> | <a href="http://www.dell.com/support/article/us/en/19/sln307174/dell-computers-tested-for-windows-10-s?lang=en" target="_blank">Dell</a> | 
-| [Lenovo](https://support.lenovo.com/us/en/solutions/ht504589) | [LG](http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html) | [MCJ](https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361) |
+| <a href="http://www.epson.jp/support/misc/windows10s.htm" target="_blank">Epson</a> | <a href="http://exo.com.ar/actualizaciones-de-windows-10" target="_blank">EXO</a> | <a href="http://www.fujitsu.com/au/products/computing/pc/microsoft/s-compatible/" target="_blank">Fujitsu</a> |
-| [Micro P/Exertis](http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx) | [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s) | [MSI](https://www.msi.com/Landing/Win10S) |
+| <a href="http://apac.getac.com/support/windows10s.html" target="_blank">Getac</a> | <a href="http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> | 
-| [Panasonic](https://panasonic.net/cns/pc/Windows10S/) | [Positivo SA](http://www.positivoinformatica.com.br/atualizacao-windows-10) | [Positivo da Bahia](http://www.br.vaio.com/atualizacao-windows-10/) |
+| <a href="http://consumer.huawei.com/cn/support/notice/detail/index.htm?id=1541" target="_blank">Huawei</a> | <a href="http://www.inet-tek.com/en/product-qadetail-86.html" target="_blank">iNET</a> | <a href="https://www.intel.com/content/www/us/en/support/boards-and-kits/000025096.html" target="_blank">Intel</a> |
-| [Samsung](http://www.samsung.com/us/support/windows10s/) | [Toshiba](http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en) | [Trekstor](http://www.trekstor.de/windows-10-s-en.html) |
-| [Trigem](http://www.trigem.co.kr/windows/win10S.html) | [Vaio](http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/) | [Wortmann](https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx) |
--->
-
-|   |   |   |
-| - | - | - |
-| <a href="https://www.acer.com/ac/en/US/content/windows10s-compatible-list" target="_blank">Acer</a> | <a href="https://www.ibuypower.com/Support/Support" target="_blank">American Future Tech</a> | <a href="https://www.asus.com/event/2017/win10S/" target="_blank">Asus</a> |
-| <a href="http://www.atec.kr/contents/ms_info.html" target="_blank">Atec</a> | <a href="https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html" target="_blank">Axdia</a> | <a href="http://www.casper.com.tr/window10sdestegi" target="_blank">Casper</a> |
-| <a href="https://www.cyberpowerpc.com/support/" target="_blank">Cyberpower</a> | <a href="http://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="http://www.daten.com.br/suportes/windows10s/" target="_blank">Daten</a> |
-| <a href="http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update" target="_blank">Fujitsu</a> | <a href="http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> | 
 | <a href="http://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> | <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> | 
 | <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> | <a href="http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> | 
-| <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> | <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> |
+| <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> | <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="http://www.bangho.com.ar/windows10s" target="_blank">PC Arts</a> | 
-| <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> | <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="http://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> |
+| <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> | <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> | <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | 
+| <a href="http://www.teclast.com/zt/aboutwin10s/" target="_blank">Teclast</a> | <a href="http://www.dospara.co.jp/support/share.php?contents=about_windows10s" target="_blank">Thirdwave</a> | <a href="http://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> | 
 | <a href="http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> | <a href="http://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> | <a href="http://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> | 
-| <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> |
+| <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> | <a href="http://www.yifangdigital.com/Customerservice/win10s.aspx" target="_blank">Yifang</a> |
 
 
 > [!NOTE]

windows/access-protection/credential-guard/credential-guard-considerations.md

@@ -18,23 +18,77 @@ author: brianlic-msft
 Prefer video? See [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
 in the **Deep Dive into Windows Defender Credential Guard** video series.
      
--  Passwords are still weak so we recommend that your organization deploy Windows Defender Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
+Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
--   Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Windows Defender Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
--   As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Windows Defender Credential Guard running.
    
--   Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
+Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported. 
-    -   Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
-    -   Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
-    -   You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Windows Defender Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you won't be able to restore those credentials.
-    - Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported. 
 
 ## Wi-fi and VPN Considerations
-When you enable Windows Defender Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. 
+When you enable Windows Defender Credential Guard, you can no longer use NTLM classic deployment model authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. 
-
 
 ## Kerberos Considerations
 
-When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
+When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead.
+
+## 3rd Party Security Support Providers Considerations
+Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
+
+## Upgrade Considerations
+As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard.
+
+### Saved Windows Credentials Protected
+
+Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites are not protected since the applications require your cleartext password. If the application does not need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
+    -   Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
+    -   Applications that extract Windows credentials fail.
+    -   When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
+
+## Clearing TPM Considerations
+Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost.  
+
+>[!WARNING] 
+> Clearing the TPM results in loss of protected data for all features that use VBS to protect data.  <br>
+> When a TPM is cleared ALL features, which use VBS to protect data can no longer decrypt their protected data.
+
+As a result Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever.
+
+>[!NOTE] 
+> Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the next system startup. 
+
+### Windows credentials saved to Credential Manager
+Since Credential Manager cannot decrypt saved Windows Credentials, they are deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. 
+
+### Domain-joined device’s automatically provisioned public key
+Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+
+Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy disabled. For more information on Configuring device to only use public key, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+
+Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx).
+
+### Breaking DPAPI on domain-joined devices
+On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery is not possible. 
+
+>[!IMPORTANT] 
+> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior. <br>
+Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost. 
+
+If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
+
+Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a domain controller: 
+
+|Credential Type | Windows 10 version | Behavior                             
+|---|---|---|
+| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI does not work at all. |
+| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
+| Password | Windows 10 v1703 | If the user signed-in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected.
+| Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data.
+
+Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
+
+#### Impact of DPAPI failures on Windows Information Protection
+When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection.  The impact includes: Outlook 2016 is unable to start and work protected documents cannot be opened.  If DPAPI is working, then newly created work data is protected and can be accessed.  
+
+**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
+
 
 ## See also
 

windows/access-protection/remote-credential-guard.md

@@ -13,62 +13,108 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device.
+Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. 
 
-You can use Remote Credential Guard in the following ways:
+Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.
 
-- Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device.
+> [!IMPORTANT]
+> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#helpdesk) in this article.
 
-- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Windows Defender Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.
+<a id="comparing-remote-credential-guard-with-other-remote-desktop-connection-options"></a>
-
-## Comparing Windows Defender Remote Credential Guard with a server protected with Credential Guard
-
-Use the following diagrams to help understand how Windows Defender Remote Credential Guard works, what it helps protect against, and how it compares with using a server protected with Credential Guard. As the diagram shows, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass the Hash, and prevents usage of a credential after disconnection.
-
-![Windows Defender Remote Credential Guard](images/remote-credential-guard.png)
 
 ## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options
 
-Use the following table to compare different security options for Remote Desktop connections.
+The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works: 
 
-> [!NOTE]
+![RDP connection to a server without Windows Defender Remote Credential Guard.png](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
-> This table compares different options than are shown in the previous diagram.
 
-| Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
+<br />
-|---|---|---|
-| Protection: Provides **less protection** than other modes in this table. | Protection: Provides **moderate protection**, compared to other modes in this table. | Protection: Provides **the most protection** of the modes in this table. However, it also requires you to be in the local “Administrators” group on the remote computer. |
-| Version support: The remote computer can be running **any operating system that supports credential delegation**, which was introduced in Windows Vista. | Version support: The remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | Version support: The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.<br><br>For more information about patches (software updates) related to Restricted Admin mode, see  [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
-| NA | Helps prevent:<br><br>- **Pass the Hash**<br>- Usage of a **credential after disconnection** | Prevents:<br><br>- **Pass the Hash**<br>- Usage of **domain identity during connection** |
-| Credentials supported from the remote desktop client device:<br><br>- **Signed on** credentials<br>- **Supplied** credentials<br>- **Saved** credentials | Credentials supported from the remote desktop client device:<br><br>- **Signed on** credentials only | Credentials supported from the remote desktop client device:<br><br>- **Signed on** credentials<br>- **Supplied** credentials<br>- **Saved** credentials |
-| Access: **Users allowed**, that is, members of remote desktop users group of remote host. | Access: **Users allowed**, that is, members of remote desktop users group of remote host. | Access: **Administrators only**, that is, only members in administrators group of remote host.  |
-| Network identity: Remote desktop session **connects to other resources as signed on user**. | Network identity: Remote desktop session **connects to other resources as signed on user**. | Network identity: Remote desktop session **connects to other resources as remote host’s identity**.  |
-| Multi-hop: From the remote desktop, you **can connect through Remote Desktop to another computer**. | Multi-hop: From the remote desktop, you **can connect through Remote Desktop to another computer**. | No multi-hop: From the remote desktop, you **cannot connect through Remote Desktop to another computer**. |
-| Supported authentication protocol: **Any negotiable protocol**. | Supported authentication protocol: **Kerberos only**. | Supported authentication protocol: **Any negotiable protocol**. |
 
-## Hardware and software requirements
+The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option: 
 
-To use Windows Defender Remote Credential Guard, the Remote Desktop client and server must meet the following requirements: 
+![Windows Defender Remote Credential Guard](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
 
-- In order to connect using credentials other than signed-in credentials, the Remote Desktop client device must be running at least Windows 10, version 1703.
+<br />
+As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
+
+<br />
+<br />
+Use the following table to compare different Remote Desktop connection security options:
+
+<br />
+<br />
+
+|**Feature** | **Remote Desktop** | **Windows Defender Remote Credential Guard** | **Restricted Admin mode** |
+|---|---|---|---|
+| **Protection benefits**  | Credentials on the server are not protected from Pass-the-Hash attacks.  |User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server|
+| **Version support** | The remote computer can run any Windows operating system|Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**.|The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx).
+|**Helps prevent**   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; | &nbsp;&nbsp;&nbsp;&nbsp; N/A &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|<ul><li> Pass-the-Hash</li> <li>Use of a credential after disconnection </li></ul>|<ul><li> Pass-the-Hash</li> <li>Use of domain identity during connection </li></ul>|
+|**Credentials supported from the remote desktop client device**|<ul><li>**Signed on** credentials <li> **Supplied** credentials<li> **Saved** credentials </ul>|<ul><li> **Signed on** credentials only | <ul><li>**Signed on** credentials<li>**Supplied** credentials<li>**Saved** credentials</ul>
+|**Access**|**Users allowed**, that is, members of Remote Desktop Users group of remote host.|**Users allowed**, that is, members of Remote Desktop Users of remote host.|**Administrators only**, that is, only members of Administrators group of remote host.
+|**Network identity**|Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. |Remote Desktop session **connects to other resources as remote host’s identity**.|
+|**Multi-hop**|From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**.|Not allowed for user as the session is running as a local host account|
+|**Supported authentication** |Any negotiable protocol.| Kerberos only.|Any negotiable protocol|
+<br /> 
+
+For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx) 
+and [How Kerberos works](https://technet.microsoft.com/en-us/library/cc961963.aspx(d=robot))
+
+<br /> 
+
+<a id="helpdesk"></a>
+
+## Remote Desktop connections and helpdesk support scenarios
+ 
+For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects.
+
+Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf).
+
+To further harden security, we also recommend that you implement Local Administrator Password Solution (LAPS), a Group Policy client-side extension (CSE) introduced in Windows 8.1 that automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks  facilitated when customers use the same administrative local account and password combination on all their computers. You can download and install LAPS [here](https://www.microsoft.com/en-us/download/details.aspx?id=46899).
+
+For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/en-us/library/security/3062591.aspx). 
+
+
+<a id="reqs"></a>
+
+## Remote Credential Guard requirements
+
+To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements: 
+
+The Remote Desktop client device:
+
+-   Must be running at least Windows 10, version 1703 to be able to supply credentials.
+-  Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host.
+-  Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
+-  Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
+
+The Remote Desktop remote host:
+
+-  Must be running at least Windows 10, version 1607 or Windows Server 2016.
+-  Must allow Restricted Admin connections.
+-  Must allow the client’s domain user to access Remote Desktop connections.
+-  Must allow delegation of non-exportable credentials.
+
+There are no hardware requirements for Windows Defender Remote Credential Guard.
 
 > [!NOTE]
 > Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
 
-- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication
+- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
 - The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
 - The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
 
 ## Enable Windows Defender Remote Credential Guard
 
-You must enable Windows Defender Remote Credential Guard on the target device by using the registry.
+You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
 
-1. Open Registry Editor.
+1. Open Registry Editor on the remote host.
-2. Enable Windows Defender Remote Credential Guard:
+2. Enable Restricted Admin and Windows Defender Remote Credential Guard:
     - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
-    - Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
+    - Add a new DWORD value named **DisableRestrictedAdmin**. 
+    - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
 3. Close Registry Editor.
 
-You can add this by running the following from an elevated command prompt:
+You can add this by running the following command from an elevated command prompt:
 
 ```
 reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
@@ -76,7 +122,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0
 
 ## Using Windows Defender Remote Credential Guard
 
-You can use Windows Defender Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection. 
+Beginning with Windows 10 version 1703, you can enable Windows Defender Remote Credential Guard on the client device either by using Group Policy or by using a parameter with the Remote Desktop Connection.
 
 ### Turn on Windows Defender Remote Credential Guard by using Group Policy
 
@@ -91,9 +137,9 @@ You can use Windows Defender Remote Credential Guard on the client device by set
 
         > **Note:**  Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
         
-    - If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic.
+    - If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
     
-    - If you  want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other options for Remote Desktop connections](#comparing-remote-credential-guard-with-other-options-for-remote-desktop-connections), earlier in this topic.
+    - If you  want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
     
 4. Click **OK**.
 
@@ -104,7 +150,7 @@ You can use Windows Defender Remote Credential Guard on the client device by set
 
 ### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection 
 
-If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
+If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
 
 ```
 mstsc.exe /remoteGuard
@@ -113,18 +159,12 @@ mstsc.exe /remoteGuard
 
 ## Considerations when using Windows Defender Remote Credential Guard
 
-- Windows Defender Remote Credential Guard does not include device claims. For example, if you’re trying to access a file server from the remote and the file server requires device claim, access will be denied.
+- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied.
 
-- Windows Defender Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory.
+- Windows Defender Remote Credential Guard cannot be used to connect to a device that is not domain-joined to Active Directory, for example, remote hosts joined to Azure Active Directory. 
 
 - Remote Desktop Credential Guard only works with the RDP protocol.
 
-- No credentials are sent to the target device, but the target device still acquires the Kerberos Service Tickets on its own.
+- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
-
-- Remote Desktop Gateway is not compatible with Windows Defender Remote Credential Guard.
-
-- You cannot use saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device.
-
-- Both the client and the server must be joined to the same domain or the domains must have a trust relationship.
 
 - The server and client must authenticate using Kerberos.

windows/client-management/mdm/azure-active-directory-integration-with-mdm.md

@@ -634,7 +634,6 @@ Alert sample:
   <Item> 
    <Meta> 
     <Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type> 
-    <Format xmlns=”syncml:metinf”>chr</Format> 
    </Meta> 
    <Data>UserToken inserted here</Data> 
   </Item> 
@@ -664,7 +663,6 @@ Here's an example.
   <Item> 
    <Meta> 
     <Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type> 
-    <Format xmlns=”syncml:metinf”>chr</Format> 
    </Meta> 
    <Data>user</Data> 
   </Item> 

windows/client-management/mdm/bitlocker-csp.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/14/2017
+ms.date: 08/28/2017
 ---
 
 # BitLocker CSP
@@ -211,6 +211,9 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <p style="margin-left: 20px">On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.</p>
 
+> [!Note]  
+> In Windows 10, version 1709, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
+
 <p style="margin-left: 20px">If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.</p>
 
 <p style="margin-left: 20px">If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.</p>
@@ -298,6 +301,11 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
 
+> [!Note]  
+> In Windows 10, version 1709, you can use a minimum PIN length of 4 digits. 
+>
+>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.
+
 <p style="margin-left: 20px">If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.</p>
 
 <p style="margin-left: 20px">If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.</p>

windows/client-management/mdm/devdetail-csp.md

@@ -150,32 +150,32 @@ The following diagram shows the DevDetail configuration service provider managem
 > [!NOTE]
 > This is not supported in Windows 10 for desktop editions.
 
-<a href="" id="volteservicesetting"></a>**VoLTEServiceSetting**  
+<a href="" id="volteservicesetting"></a>**Ext/VoLTEServiceSetting**  
 <p style="margin-left: 20px">Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
 
 <p style="margin-left: 20px">Supported operation is Get.
 
-<a href="" id="wlanipv4address"></a>**WlanIPv4Address**  
+<a href="" id="wlanipv4address"></a>**Ext/WlanIPv4Address**  
 <p style="margin-left: 20px">Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
 
 <p style="margin-left: 20px">Supported operation is Get.
 
-<a href="" id="wlanipv6address"></a>**WlanIPv6Address**  
+<a href="" id="wlanipv6address"></a>**Ext/WlanIPv6Address**  
 <p style="margin-left: 20px">Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
 
 <p style="margin-left: 20px">Supported operation is Get.
 
-<a href="" id="wlandnssuffix"></a>**WlanDnsSuffix**  
+<a href="" id="wlandnssuffix"></a>**Ext/WlanDnsSuffix**  
 <p style="margin-left: 20px">Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
 
 <p style="margin-left: 20px">Supported operation is Get.
 
-<a href="" id="wlansubnetmask"></a>**WlanSubnetMask**  
+<a href="" id="wlansubnetmask"></a>**Ext/WlanSubnetMask**  
 <p style="margin-left: 20px">Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
 
 <p style="margin-left: 20px">Supported operation is Get.
 
-<a href="" id="devicehardwaredata"></a>**DeviceHardwareData**  
+<a href="" id="devicehardwaredata"></a>**Ext/DeviceHardwareData**  
 <p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
 
 > [!Note]  

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/21/2017
+ms.date: 08/31/2017
 ---
 
 # What's new in MDM enrollment and management
@@ -52,7 +52,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 
 ## <a href="" id="whatsnew"></a>What's new in Windows 10, version 1511
 
-<table>
+<table class="mx-tdBreakAll">
 <colgroup>
 <col width="25%" />
 <col width="75%" />
@@ -184,7 +184,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 
 ## <a href="" id="whatsnew1607"></a>What's new in Windows 10, version 1607
 
-<table>
+<table class="mx-tdBreakAll">
 <colgroup>
 <col width="25%" />
 <col width="75%" />
@@ -495,7 +495,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 
 ## <a href="" id="whatsnew10"></a>What's new in Windows 10, version 1703
 
-<table>
+<table class="mx-tdBreakAll">
 <colgroup>
 <col width="25%" />
 <col width="75%" />
@@ -916,7 +916,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 
 ## <a href="" id="whatsnew1709"></a>What's new in Windows 10, version 1709
 
-<table>
+<table class="mx-tdBreakAll">
 <colgroup>
 <col width="25%" />
 <col width="75%" />
@@ -981,14 +981,25 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 </ul>
 </td></tr>
 <tr class="odd">
+<td style="vertical-align:top">[Bitlocker CSP](bitlocker-csp.md)</td>
+<td style="vertical-align:top"><p>Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[ADMX-backed policies in Policy CSP](policy-configuration-service-provider.md#admx-backed-policies)</td>
+<td style="vertical-align:top"><p>Added new policies.</p>
+</td></tr>
+<tr class="odd">
 <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
 <td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p> 
 <ul>
+<li>Browser/LockdownFavorites</li>
+<li>Browser/ProvisionFavorites</li>
 <li>CredentialProviders/DisableAutomaticReDeploymentCredentials</li>
 <li>DeviceGuard/EnableVirtualizationBasedSecurity</li>
 <li>DeviceGuard/RequirePlatformSecurityFeatures</li>
 <li>DeviceGuard/LsaCfgFlags</li>
 <li>ExploitGuard/ExploitProtectionSettings</li>
+<li>Games/AllowAdvancedGamingServices</li>
 <li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
 <li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
 <li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
@@ -1033,6 +1044,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Education/PreventAddingNewPrinters</li>
 <li>Education/PrinterNames</li>
 <li>Security/ClearTPMIfNotReady</li>
+<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</li>
+<li>Update/DisableDualScan</li>
 <li>Update/ScheduledInstallEveryWeek</li>
 <li>Update/ScheduledInstallFirstWeek</li>
 <li>Update/ScheduledInstallFourthWeek</li>
@@ -1324,7 +1337,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ### August 2017
 
-<table>
+<table class="mx-tdBreakAll">
 <colgroup>
 <col width="25%" />
 <col width="75%" />
@@ -1382,7 +1395,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
-<td style="vertical-align:top">Added information to the ADMX-backed policies.
+<td style="vertical-align:top">Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
@@ -1394,11 +1407,23 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>Added default values.</li>
 </ul>
 </td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Policy DDF file](policy-ddf-file.md)</td>
+<td style="vertical-align:top">Added another Policy DDF file [download](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
+<ul>
+<li>Browser/AllowMicrosoftCompatibilityList</li>
+<li>Update/DisableDualScan</li>
+<li>Update/FillEmptyContentUrls</li>
+</ul>
+</td></tr>
 <tr class="even">
 <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
 <td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
 <ul>
+<li>Browser/ProvisionFavorites</li>
+<li>Browser/LockdownFavorites</li>
 <li>ExploitGuard/ExploitProtectionSettings</li>
+<li>Games/AllowAdvancedGamingServices</li>
 <li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
 <li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
 <li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
@@ -1425,6 +1450,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
 <li>Privacy/EnableActivityFeed</li>
 <li>Privacy/PublishUserActivities</li>
+<li>Update/DisableDualScan</li>
+<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</li>
 </ul>
 <p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.</p>
 <p>Changed the names of the following policies:</p>
@@ -1434,6 +1461,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess</li>
 </ul>
 <p>Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).</p>
+<p>There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:</p>
+<ul>
+<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts</li>
+<li>Start/HideAppList</li>
+</ul>
 </td></tr>
 </tbody>
 </table>

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/21/2017
+ms.date: 08/25/2017
 ---
 
 # Policy CSP
@@ -456,6 +456,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-browser.md#browser-homepages" id="browser-homepages">Browser/HomePages</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-lockdownfavorites" id="browser-lockdownfavorites">Browser/LockdownFavorites</a>
+  </dd>
   <dd>
     <a href="./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge" id="browser-preventaccesstoaboutflagsinmicrosoftedge">Browser/PreventAccessToAboutFlagsInMicrosoftEdge</a>
   </dd>
@@ -474,6 +477,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc" id="browser-preventusinglocalhostipaddressforwebrtc">Browser/PreventUsingLocalHostIPAddressForWebRTC</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-provisionfavorites" id="browser-provisionfavorites">Browser/ProvisionFavorites</a>
+  </dd>
   <dd>
     <a href="./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer" id="browser-sendintranettraffictointernetexplorer">Browser/SendIntranetTraffictoInternetExplorer</a>
   </dd>
@@ -2712,6 +2718,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-update.md#update-allowautoupdate" id="update-allowautoupdate">Update/AllowAutoUpdate</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork" id="update-allowautowindowsupdatedownloadovermeterednetwork">Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</a>
+  </dd>
   <dd>
     <a href="./policy-csp-update.md#update-allowmuupdateservice" id="update-allowmuupdateservice">Update/AllowMUUpdateService</a>
   </dd>
@@ -2748,6 +2757,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-update.md#update-detectionfrequency" id="update-detectionfrequency">Update/DetectionFrequency</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-disabledualscan" id="update-disabledualscan">Update/DisableDualScan</a>
+  </dd>
   <dd>
     <a href="./policy-csp-update.md#update-engagedrestartdeadline" id="update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
   </dd>
@@ -3359,7 +3371,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)  
 -   [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)  
 -   [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)  
--   [Privacy/EnableActivityFeed](#privacy-enableactivityfeed) 
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
@@ -3368,7 +3379,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
--   [Privacy/PublishUserActivities](#privacy-publishuseractivities)  
 -   [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)  
 -   [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)  
 -   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
@@ -3414,7 +3424,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Experience/AllowCortana](#experience-allowcortana)  
 -   [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)  
 -   [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)  
--   [Privacy/EnableActivityFeed](#privacy-enableactivityfeed) 
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
@@ -3423,7 +3432,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
--   [Privacy/PublishUserActivities](#privacy-publishuseractivities)  
 -   [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)  
 -   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
 -   [Settings/AllowDateTime](#settings-allowdatetime)  
@@ -3514,6 +3522,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)  
 -   [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)  
 -   [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)  
+-   [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)  
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
@@ -3522,6 +3531,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
+-   [Privacy/PublishUserActivities](#privacy-publishuseractivities)  
 -   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)  
 -   [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)  
 -   [System/AllowFontProviders](#system-allowfontproviders)  

windows/client-management/mdm/policy-csp-abovelock.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - AboveLock

windows/client-management/mdm/policy-csp-accounts.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Accounts

windows/client-management/mdm/policy-csp-activexcontrols.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - ActiveXControls
@@ -64,7 +64,7 @@ Note: Wild card characters cannot be used when specifying the host URLs.
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Approved Installation Sites for ActiveX Controls*
+-   GP English name: *Approved Installation Sites for ActiveX Controls*
 -   GP name: *ApprovedActiveXInstallSites*
 -   GP path: *Windows Components/ActiveX Installer Service*
 -   GP ADMX file name: *ActiveXInstallService.admx*

windows/client-management/mdm/policy-csp-applicationdefaults.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - ApplicationDefaults

windows/client-management/mdm/policy-csp-applicationmanagement.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - ApplicationManagement

windows/client-management/mdm/policy-csp-appvirtualization.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - AppVirtualization
@@ -58,9 +58,9 @@ This policy setting allows you to enable or disable Microsoft Application Virtua
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable App-V Client*
+-   GP English name: *Enable App-V Client*
 -   GP name: *EnableAppV*
--   GP path: *Administrative Templates/System/App-V*
+-   GP path: *System/App-V*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -104,9 +104,9 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable Dynamic Virtualization*
+-   GP English name: *Enable Dynamic Virtualization*
 -   GP name: *Virtualization_JITVEnable*
--   GP path: *Administrative Templates/System/App-V/Virtualization*
+-   GP path: *System/App-V/Virtualization*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -150,9 +150,9 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable automatic cleanup of unused appv packages*
+-   GP English name: *Enable automatic cleanup of unused appv packages*
 -   GP name: *PackageManagement_AutoCleanupEnable*
--   GP path: *Administrative Templates/System/App-V/PackageManagement*
+-   GP path: *System/App-V/PackageManagement*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -196,9 +196,9 @@ Enables scripts defined in the package manifest of configuration files that shou
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable Package Scripts*
+-   GP English name: *Enable Package Scripts*
 -   GP name: *Scripting_Enable_Package_Scripts*
--   GP path: *Administrative Templates/System/App-V/Scripting*
+-   GP path: *System/App-V/Scripting*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -242,9 +242,9 @@ Enables a UX to display to the user when a publishing refresh is performed on th
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable Publishing Refresh UX*
+-   GP English name: *Enable Publishing Refresh UX*
 -   GP name: *Enable_Publishing_Refresh_UX*
--   GP path: *Administrative Templates/System/App-V/Publishing*
+-   GP path: *System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -298,9 +298,9 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Reporting Server*
+-   GP English name: *Reporting Server*
 -   GP name: *Reporting_Server_Policy*
--   GP path: *Administrative Templates/System/App-V/Reporting*
+-   GP path: *System/App-V/Reporting*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -344,9 +344,9 @@ Specifies the file paths relative to %userprofile% that do not roam with a user'
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Roaming File Exclusions*
+-   GP English name: *Roaming File Exclusions*
 -   GP name: *Integration_Roaming_File_Exclusions*
--   GP path: *Administrative Templates/System/App-V/Integration*
+-   GP path: *System/App-V/Integration*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -390,9 +390,9 @@ Specifies the registry paths that do not roam with a user profile. Example usage
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Roaming Registry Exclusions*
+-   GP English name: *Roaming Registry Exclusions*
 -   GP name: *Integration_Roaming_Registry_Exclusions*
--   GP path: *Administrative Templates/System/App-V/Integration*
+-   GP path: *System/App-V/Integration*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -436,9 +436,9 @@ Specifies how new packages should be loaded automatically by App-V on a specific
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify what to load in background (aka AutoLoad)*
+-   GP English name: *Specify what to load in background (aka AutoLoad)*
 -   GP name: *Steaming_Autoload*
--   GP path: *Administrative Templates/System/App-V/Streaming*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -482,9 +482,9 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable Migration Mode*
+-   GP English name: *Enable Migration Mode*
 -   GP name: *Client_Coexistence_Enable_Migration_mode*
--   GP path: *Administrative Templates/System/App-V/Client Coexistence*
+-   GP path: *System/App-V/Client Coexistence*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -528,9 +528,9 @@ Specifies the location where symbolic links are created to the current version o
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Integration Root User*
+-   GP English name: *Integration Root User*
 -   GP name: *Integration_Root_User*
--   GP path: *Administrative Templates/System/App-V/Integration*
+-   GP path: *System/App-V/Integration*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -574,9 +574,9 @@ Specifies the location where symbolic links are created to the current version o
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Integration Root Global*
+-   GP English name: *Integration Root Global*
 -   GP name: *Integration_Root_Global*
--   GP path: *Administrative Templates/System/App-V/Integration*
+-   GP path: *System/App-V/Integration*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -638,9 +638,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Publishing Server 1 Settings*
+-   GP English name: *Publishing Server 1 Settings*
 -   GP name: *Publishing_Server1_Policy*
--   GP path: *Administrative Templates/System/App-V/Publishing*
+-   GP path: *System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -704,7 +704,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
 ADMX Info:  
 -   GP English name: *Publishing Server 2 Settings*
 -   GP name: *Publishing_Server2_Policy*
--   GP path: *Administrative Templates/System/App-V/Publishing*
+-   GP path: *System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -766,9 +766,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Publishing Server 3 Settings*
+-   GP English name: *Publishing Server 3 Settings*
 -   GP name: *Publishing_Server3_Policy*
--   GP path: *Administrative Templates/System/App-V/Publishing*
+-   GP path: *System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -830,9 +830,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Publishing Server 4 Settings*
+-   GP English name: *Publishing Server 4 Settings*
 -   GP name: *Publishing_Server4_Policy*
--   GP path: *Administrative Templates/System/App-V/Publishing*
+-   GP path: *System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -894,9 +894,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Publishing Server 5 Settings*
+-   GP English name: *Publishing Server 5 Settings*
 -   GP name: *Publishing_Server5_Policy*
--   GP path: *Administrative Templates/System/App-V/Publishing*
+-   GP path: *System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -940,9 +940,9 @@ Specifies the path to a valid certificate in the certificate store.
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Certificate Filter For Client SSL*
+-   GP English name: *Certificate Filter For Client SSL*
 -   GP name: *Streaming_Certificate_Filter_For_Client_SSL*
--   GP path: *Administrative Templates/System/App-V/Streaming*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -986,9 +986,9 @@ This setting controls whether virtualized applications are launched on Windows 8
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
+-   GP English name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
 -   GP name: *Streaming_Allow_High_Cost_Launch*
--   GP path: *Administrative Templates/System/App-V/Streaming*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1032,9 +1032,9 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Location Provider*
+-   GP English name: *Location Provider*
 -   GP name: *Streaming_Location_Provider*
--   GP path: *Administrative Templates/System/App-V/Streaming*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1078,9 +1078,9 @@ Specifies directory where all new applications and updates will be installed.
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Package Installation Root*
+-   GP English name: *Package Installation Root*
 -   GP name: *Streaming_Package_Installation_Root*
--   GP path: *Administrative Templates/System/App-V/Streaming*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1124,9 +1124,9 @@ Overrides source location for downloading package content.
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Package Source Root*
+-   GP English name: *Package Source Root*
 -   GP name: *Streaming_Package_Source_Root*
--   GP path: *Administrative Templates/System/App-V/Streaming*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1170,9 +1170,9 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Reestablishment Interval*
+-   GP English name: *Reestablishment Interval*
 -   GP name: *Streaming_Reestablishment_Interval*
--   GP path: *Administrative Templates/System/App-V/Streaming*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1216,9 +1216,9 @@ Specifies the number of times to retry a dropped session.
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Reestablishment Retries*
+-   GP English name: *Reestablishment Retries*
 -   GP name: *Streaming_Reestablishment_Retries*
--   GP path: *Administrative Templates/System/App-V/Streaming*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1262,9 +1262,9 @@ Specifies that streamed package contents will be not be saved to the local hard
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Shared Content Store (SCS) mode*
+-   GP English name: *Shared Content Store (SCS) mode*
 -   GP name: *Streaming_Shared_Content_Store_Mode*
--   GP path: *Administrative Templates/System/App-V/Streaming*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1308,9 +1308,9 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable Support for BranchCache*
+-   GP English name: *Enable Support for BranchCache*
 -   GP name: *Streaming_Support_Branch_Cache*
--   GP path: *Administrative Templates/System/App-V/Streaming*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1354,9 +1354,9 @@ Verifies Server certificate revocation status before streaming using HTTPS.
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Verify certificate revocation list*
+-   GP English name: *Verify certificate revocation list*
 -   GP name: *Streaming_Verify_Certificate_Revocation_List*
--   GP path: *Administrative Templates/System/App-V/Streaming*
+-   GP path: *System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1400,9 +1400,9 @@ Specifies a list of process paths (may contain wildcards) which are candidates f
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Virtual Component Process Allow List*
+-   GP English name: *Virtual Component Process Allow List*
 -   GP name: *Virtualization_JITVAllowList*
--   GP path: *Administrative Templates/System/App-V/Virtualization*
+-   GP path: *System/App-V/Virtualization*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->

windows/client-management/mdm/policy-csp-attachmentmanager.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - AttachmentManager
@@ -64,7 +64,7 @@ If you do not configure this policy setting, Windows marks file attachments with
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not preserve zone information in file attachments*
+-   GP English name: *Do not preserve zone information in file attachments*
 -   GP name: *AM_MarkZoneOnSavedAtttachments*
 -   GP path: *Windows Components/Attachment Manager*
 -   GP ADMX file name: *AttachmentManager.admx*
@@ -116,7 +116,7 @@ If you do not configure this policy setting, Windows hides the check box and Unb
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Hide mechanisms to remove zone information*
+-   GP English name: *Hide mechanisms to remove zone information*
 -   GP name: *AM_RemoveZoneInfo*
 -   GP path: *Windows Components/Attachment Manager*
 -   GP ADMX file name: *AttachmentManager.admx*
@@ -168,7 +168,7 @@ If you do not configure this policy setting, Windows does not call the registere
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Notify antivirus programs when opening attachments*
+-   GP English name: *Notify antivirus programs when opening attachments*
 -   GP name: *AM_CallIOfficeAntiVirus*
 -   GP path: *Windows Components/Attachment Manager*
 -   GP ADMX file name: *AttachmentManager.admx*

windows/client-management/mdm/policy-csp-authentication.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Authentication

windows/client-management/mdm/policy-csp-autoplay.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Autoplay
@@ -62,7 +62,7 @@ If you disable or do not configure this policy setting, AutoPlay is enabled for
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disallow Autoplay for non-volume devices*
+-   GP English name: *Disallow Autoplay for non-volume devices*
 -   GP name: *NoAutoplayfornonVolume*
 -   GP path: *Windows Components/AutoPlay Policies*
 -   GP ADMX file name: *AutoPlay.admx*
@@ -121,7 +121,7 @@ If you disable or not configure this policy setting, Windows Vista or later will
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Set the default behavior for AutoRun*
+-   GP English name: *Set the default behavior for AutoRun*
 -   GP name: *NoAutorun*
 -   GP path: *Windows Components/AutoPlay Policies*
 -   GP ADMX file name: *AutoPlay.admx*
@@ -181,7 +181,7 @@ Note: This policy setting appears in both the Computer Configuration and User Co
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off Autoplay*
+-   GP English name: *Turn off Autoplay*
 -   GP name: *Autorun*
 -   GP path: *Windows Components/AutoPlay Policies*
 -   GP ADMX file name: *AutoPlay.admx*

windows/client-management/mdm/policy-csp-bitlocker.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Bitlocker
@@ -85,6 +85,7 @@ ms.date: 08/09/2017
     <a href="./bitlocker-csp.md#systemdrivesrequirestartupauthentication" id="systemdrivesrequirestartupauthentication">BitLocker/SystemDrivesRequireStartupAuthentication</a>
   </dd>
 </dl>
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <hr/>
@@ -96,3 +97,4 @@ Footnote:
 -   3 - Added in Windows 10, version 1709.
 
 <!--EndPolicies-->
+

windows/client-management/mdm/policy-csp-bluetooth.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Bluetooth

windows/client-management/mdm/policy-csp-browser.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Browser
@@ -679,6 +679,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
 4.  Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-alwaysenablebookslibrary"></a>**Browser/AlwaysEnableBooksLibrary**  
+
+<!--StartDescription-->
+<p style="margin-left: 20px">
+
+<p style="margin-left: 20px">This is only a placeholder.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -965,6 +975,51 @@ Employees cannot remove these search engines, but they can set any one as the de
 > [!NOTE]
 > Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-lockdownfavorites"></a>**Browser/LockdownFavorites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
+
+<p style="margin-left: 20px">If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
+
+> [!Important]  
+> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+<ul>
+<li> 0 - Disabled. Do not lockdown Favorites.</li>
+<li> 1 - Enabled. Lockdown Favorites.</li>
+</ul>
+
+<p style="margin-left: 20px">If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
+
+<p style="margin-left: 20px">Data type is integer.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -1191,6 +1246,50 @@ Employees cannot remove these search engines, but they can set any one as the de
 -   0 (default) – The localhost IP address is shown.
 -   1 – The localhost IP address is hidden.
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-provisionfavorites"></a>**Browser/ProvisionFavorites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines. 
+ 
+<p style="margin-left: 20px">URL can be specified as:
+
+- HTTP location: "SiteList"="http://localhost:8080/URLs.html"
+- Local network: "SiteList"="\\network\shares\URLs.html"
+- Local file: "SiteList"="file:///c:\\Users\\<user>\\Documents\\URLs.html"
+
+> [!Important]  
+> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+
+<p style="margin-left: 20px">If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
+
+<p style="margin-left: 20px">Data type is string.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->

windows/client-management/mdm/policy-csp-camera.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Camera

windows/client-management/mdm/policy-csp-cellular.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Cellular
@@ -56,7 +56,7 @@ ms.date: 08/09/2017
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Set Per-App Cellular Access UI Visibility*
+-   GP English name: *Set Per-App Cellular Access UI Visibility*
 -   GP name: *ShowAppCellularAccessUI*
 -   GP path: *Network/WWAN Service/WWAN UI Settings*
 -   GP ADMX file name: *wwansvc.admx*

windows/client-management/mdm/policy-csp-connectivity.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Connectivity
@@ -386,8 +386,9 @@ ms.date: 08/09/2017
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off printing over HTTP*
+-   GP English name: *Turn off printing over HTTP*
 -   GP name: *DisableHTTPPrinting_2*
+-   GP path: *Internet Communication settings*
 -   GP ADMX file name: *ICM.admx*
 
 <!--EndADMX-->
@@ -429,8 +430,9 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off downloading of print drivers over HTTP*
+-   GP English name: *Turn off downloading of print drivers over HTTP*
 -   GP name: *DisableWebPnPDownload_2*
+-   GP path: *Internet Communication settings*
 -   GP ADMX file name: *ICM.admx*
 
 <!--EndADMX-->
@@ -472,8 +474,9 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off Internet download for Web publishing and online ordering wizards*
+-   GP English name: *Turn off Internet download for Web publishing and online ordering wizards*
 -   GP name: *ShellPreventWPWDownload_2*
+-   GP path: *Internet Communication settings*
 -   GP ADMX file name: *ICM.admx*
 
 <!--EndADMX-->
@@ -519,7 +522,7 @@ If you enable this policy, Windows only allows access to the specified UNC paths
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Hardened UNC Paths*
+-   GP English name: *Hardened UNC Paths*
 -   GP name: *Pol_HardenedPaths*
 -   GP path: *Network/Network Provider*
 -   GP ADMX file name: *networkprovider.admx*
@@ -563,7 +566,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
+-   GP English name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
 -   GP name: *NC_AllowNetBridge_NLA*
 -   GP path: *Network/Network Connections*
 -   GP ADMX file name: *NetworkConnections.admx*

windows/client-management/mdm/policy-csp-credentialproviders.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - CredentialProviders
@@ -66,8 +66,9 @@ To configure Windows Hello for Business, use the Administrative Template policie
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on convenience PIN sign-in*
+-   GP English name: *Turn on convenience PIN sign-in*
 -   GP name: *AllowDomainPINLogon*
+-   GP path: *System/Logon*
 -   GP ADMX file name: *credentialproviders.admx*
 
 <!--EndADMX-->
@@ -117,8 +118,9 @@ Note that the user's domain password will be cached in the system vault when usi
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off picture password sign-in*
+-   GP English name: *Turn off picture password sign-in*
 -   GP name: *BlockDomainPicturePassword*
+-   GP path: *System/Logon*
 -   GP ADMX file name: *credentialproviders.admx*
 
 <!--EndADMX-->

windows/client-management/mdm/policy-csp-credentialsui.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - CredentialsUI
@@ -66,7 +66,7 @@ The policy applies to all Windows components and applications that use the Windo
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not display the password reveal button*
+-   GP English name: *Do not display the password reveal button*
 -   GP name: *DisablePasswordReveal*
 -   GP path: *Windows Components/Credential User Interface*
 -   GP ADMX file name: *credui.admx*
@@ -116,7 +116,7 @@ If you disable this policy setting, users will always be required to type a user
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enumerate administrator accounts on elevation*
+-   GP English name: *Enumerate administrator accounts on elevation*
 -   GP name: *EnumerateAdministrators*
 -   GP path: *Windows Components/Credential User Interface*
 -   GP ADMX file name: *credui.admx*

windows/client-management/mdm/policy-csp-cryptography.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Cryptography

windows/client-management/mdm/policy-csp-dataprotection.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - DataProtection

windows/client-management/mdm/policy-csp-datausage.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - DataUsage
@@ -68,7 +68,7 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Set 3G Cost*
+-   GP English name: *Set 3G Cost*
 -   GP name: *SetCost3G*
 -   GP path: *Network/WWAN Service/WWAN Media Cost*
 -   GP ADMX file name: *wwansvc.admx*
@@ -124,7 +124,7 @@ If this policy setting is disabled or is not configured, the cost of 4G connecti
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Set 4G Cost*
+-   GP English name: *Set 4G Cost*
 -   GP name: *SetCost4G*
 -   GP path: *Network/WWAN Service/WWAN Media Cost*
 -   GP ADMX file name: *wwansvc.admx*

windows/client-management/mdm/policy-csp-defender.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Defender
@@ -740,6 +740,74 @@ Value type is string.
 > [!Note]  
 > This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-controlledfolderaccessallowedapplications"></a>**Defender/ControlledFolderAccessAllowedApplications**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode &#xF000; as the substring separator.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-controlledfolderaccessprotectedfolders"></a>**Defender/ControlledFolderAccessProtectedFolders**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode &#xF000; as the substring separator.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -974,74 +1042,6 @@ Value type is string.
  
 <p style="margin-left: 20px">Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
 
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-controlledfolderaccessallowedapplications"></a>**Defender/ControlledFolderAccessAllowedApplications**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode &#xF000; as the substring separator.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-controlledfolderaccessprotectedfolders"></a>**Defender/ControlledFolderAccessProtectedFolders**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode &#xF000; as the substring separator.
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->

windows/client-management/mdm/policy-csp-deliveryoptimization.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - DeliveryOptimization

windows/client-management/mdm/policy-csp-desktop.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Desktop
@@ -62,8 +62,9 @@ If you enable this setting, users are unable to type a new location in the Targe
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prohibit User from manually redirecting Profile Folders*
+-   GP English name: *Prohibit User from manually redirecting Profile Folders*
 -   GP name: *DisablePersonalDirChange*
+-   GP path: *Desktop*
 -   GP ADMX file name: *desktop.admx*
 
 <!--EndADMX-->

windows/client-management/mdm/policy-csp-deviceguard.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - DeviceGuard

windows/client-management/mdm/policy-csp-deviceinstallation.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - DeviceInstallation
@@ -62,7 +62,7 @@ If you disable or do not configure this policy setting, devices can be installed
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent installation of devices that match any of these device IDs*
+-   GP English name: *Prevent installation of devices that match any of these device IDs*
 -   GP name: *DeviceInstall_IDs_Deny*
 -   GP path: *System/Device Installation/Device Installation Restrictions*
 -   GP ADMX file name: *deviceinstallation.admx*
@@ -112,7 +112,7 @@ If you disable or do not configure this policy setting, Windows can install and
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent installation of devices using drivers that match these device setup classes*
+-   GP English name: *Prevent installation of devices using drivers that match these device setup classes*
 -   GP name: *DeviceInstall_Classes_Deny*
 -   GP path: *System/Device Installation/Device Installation Restrictions*
 -   GP ADMX file name: *deviceinstallation.admx*

windows/client-management/mdm/policy-csp-devicelock.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - DeviceLock
@@ -767,7 +767,7 @@ If you enable this setting, users will no longer be able to modify slide show se
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent enabling lock screen slide show*
+-   GP English name: *Prevent enabling lock screen slide show*
 -   GP name: *CPL_Personalization_NoLockScreenSlideshow*
 -   GP path: *Control Panel/Personalization*
 -   GP ADMX file name: *ControlPanelDisplay.admx*

windows/client-management/mdm/policy-csp-display.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Display

windows/client-management/mdm/policy-csp-education.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Education

windows/client-management/mdm/policy-csp-enterprisecloudprint.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - EnterpriseCloudPrint

windows/client-management/mdm/policy-csp-errorreporting.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - ErrorReporting
@@ -72,8 +72,9 @@ If you disable or do not configure this policy setting, then the default consent
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Customize consent settings*
+-   GP English name: *Customize consent settings*
 -   GP name: *WerConsentCustomize_2*
+-   GP path: *Windows Components/Windows Error Reporting/Consent*
 -   GP ADMX file name: *ErrorReporting.admx*
 
 <!--EndADMX-->
@@ -121,7 +122,7 @@ If you disable or do not configure this policy setting, the Turn off Windows Err
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disable Windows Error Reporting*
+-   GP English name: *Disable Windows Error Reporting*
 -   GP name: *WerDisable_2*
 -   GP path: *Windows Components/Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*
@@ -175,7 +176,7 @@ See also the Configure Error Reporting policy setting.
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Display Error Notification*
+-   GP English name: *Display Error Notification*
 -   GP name: *PCH_ShowUI*
 -   GP path: *Windows Components/Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*
@@ -225,7 +226,7 @@ If you disable or do not configure this policy setting, then consent policy sett
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not send additional data*
+-   GP English name: *Do not send additional data*
 -   GP name: *WerNoSecondLevelData_2*
 -   GP path: *Windows Components/Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*
@@ -275,7 +276,7 @@ If you disable or do not configure this policy setting, Windows Error Reporting
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Prevent display of the user interface for critical errors*
+-   GP English name: *Prevent display of the user interface for critical errors*
 -   GP name: *WerDoNotShowUI*
 -   GP path: *Windows Components/Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*

windows/client-management/mdm/policy-csp-eventlogservice.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - EventLogService
@@ -64,7 +64,7 @@ Note: Old events may or may not be retained according to the "Backup log automat
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Control Event Log behavior when the log file reaches its maximum size*
+-   GP English name: *Control Event Log behavior when the log file reaches its maximum size*
 -   GP name: *Channel_Log_Retention_1*
 -   GP path: *Windows Components/Event Log Service/Application*
 -   GP ADMX file name: *eventlog.admx*
@@ -114,7 +114,7 @@ If you disable or do not configure this policy setting, the maximum size of the
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the maximum log file size (KB)*
+-   GP English name: *Specify the maximum log file size (KB)*
 -   GP name: *Channel_LogMaxSize_1*
 -   GP path: *Windows Components/Event Log Service/Application*
 -   GP ADMX file name: *eventlog.admx*
@@ -164,7 +164,7 @@ If you disable or do not configure this policy setting, the maximum size of the
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the maximum log file size (KB)*
+-   GP English name: *Specify the maximum log file size (KB)*
 -   GP name: *Channel_LogMaxSize_2*
 -   GP path: *Windows Components/Event Log Service/Security*
 -   GP ADMX file name: *eventlog.admx*
@@ -214,7 +214,7 @@ If you disable or do not configure this policy setting, the maximum size of the
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the maximum log file size (KB)*
+-   GP English name: *Specify the maximum log file size (KB)*
 -   GP name: *Channel_LogMaxSize_4*
 -   GP path: *Windows Components/Event Log Service/System*
 -   GP ADMX file name: *eventlog.admx*

windows/client-management/mdm/policy-csp-experience.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Experience

windows/client-management/mdm/policy-csp-games.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/31/2017
 ---
 
 # Policy CSP - Games
@@ -22,9 +22,36 @@ ms.date: 08/09/2017
 <!--StartPolicy-->
 <a href="" id="games-allowadvancedgamingservices"></a>**Games/AllowAdvancedGamingServices**  
 
-<!--StartDescription-->
+<!--StartSKU-->
-<p style="margin-left: 20px">Placeholder only. Currently not supported.
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
 
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer.
+
+- 0 - Not Allowed
+- 1 (default) - Allowed
+
+<p style="margin-left: 20px">This policy can only be turned off in Windows 10 Education and Enterprise editions.
 <!--EndDescription-->
 <!--EndPolicy-->
 <hr/>

windows/client-management/mdm/policy-csp-kerberos.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Kerberos
@@ -62,7 +62,7 @@ If you disable or do not configure this policy setting, the Kerberos client does
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Use forest search order*
+-   GP English name: *Use forest search order*
 -   GP name: *ForestSearch*
 -   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
@@ -111,7 +111,7 @@ If you disable or do not configure this policy setting, the client devices will
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
+-   GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
 -   GP name: *EnableCbacAndArmor*
 -   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
@@ -165,7 +165,7 @@ If you disable or do not configure this policy setting, the client computers in
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Fail authentication requests when Kerberos armoring is not available*
+-   GP English name: *Fail authentication requests when Kerberos armoring is not available*
 -   GP name: *ClientRequireFast*
 -   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
@@ -215,7 +215,7 @@ If you disable or do not configure this policy setting, the Kerberos client requ
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Require strict KDC validation*
+-   GP English name: *Require strict KDC validation*
 -   GP name: *ValidateKDC*
 -   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
@@ -269,7 +269,7 @@ Note: This policy setting configures the existing MaxTokenSize registry value in
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Set maximum Kerberos SSPI context token buffer size*
+-   GP English name: *Set maximum Kerberos SSPI context token buffer size*
 -   GP name: *MaxTokenSize*
 -   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*

windows/client-management/mdm/policy-csp-licensing.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Licensing

windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - LocalPoliciesSecurityOptions
@@ -672,46 +672,6 @@ Valid values:
 - 0 - disabled
 - 1 - enabled (allow system to be shut down without having to log on)
 
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode"></a>**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-User Account Control: Turn on Admin Approval Mode
-
-This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
-
-The options are:
-- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
-- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
-
-
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 
 <!--EndDescription-->
@@ -931,6 +891,46 @@ The options are:
 - 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
 - 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
 
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode"></a>**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Turn on Admin Approval Mode
+
+This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
+
+
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 
 <!--EndDescription-->

windows/client-management/mdm/policy-csp-location.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Location

windows/client-management/mdm/policy-csp-lockdown.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - LockDown

windows/client-management/mdm/policy-csp-maps.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Maps

windows/client-management/mdm/policy-csp-messaging.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Messaging

windows/client-management/mdm/policy-csp-networkisolation.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - NetworkIsolation

windows/client-management/mdm/policy-csp-notifications.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Notifications

windows/client-management/mdm/policy-csp-power.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Power
@@ -62,7 +62,7 @@ If you disable this policy setting, standby states (S1-S3) are not allowed.
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)*
+-   GP English name: *Allow standby states (S1-S3) when sleeping (plugged in)*
 -   GP name: *AllowStandbyStatesAC_2*
 -   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
@@ -114,7 +114,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off the display (on battery)*
+-   GP English name: *Turn off the display (on battery)*
 -   GP name: *VideoPowerDownTimeOutDC_2*
 -   GP path: *System/Power Management/Video and Display Settings*
 -   GP ADMX file name: *power.admx*
@@ -166,7 +166,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off the display (plugged in)*
+-   GP English name: *Turn off the display (plugged in)*
 -   GP name: *VideoPowerDownTimeOutAC_2*
 -   GP path: *System/Power Management/Video and Display Settings*
 -   GP ADMX file name: *power.admx*
@@ -219,7 +219,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the system hibernate timeout (on battery)*
+-   GP English name: *Specify the system hibernate timeout (on battery)*
 -   GP name: *DCHibernateTimeOut_2*
 -   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
@@ -271,7 +271,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the system hibernate timeout (plugged in)*
+-   GP English name: *Specify the system hibernate timeout (plugged in)*
 -   GP name: *ACHibernateTimeOut_2*
 -   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
@@ -321,7 +321,7 @@ If you disable this policy setting, the user is not prompted for a password when
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Require a password when a computer wakes (on battery)*
+-   GP English name: *Require a password when a computer wakes (on battery)*
 -   GP name: *DCPromptForPasswordOnResume_2*
 -   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
@@ -371,7 +371,7 @@ If you disable this policy setting, the user is not prompted for a password when
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Require a password when a computer wakes (plugged in)*
+-   GP English name: *Require a password when a computer wakes (plugged in)*
 -   GP name: *ACPromptForPasswordOnResume_2*
 -   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
@@ -423,7 +423,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the system sleep timeout (on battery)*
+-   GP English name: *Specify the system sleep timeout (on battery)*
 -   GP name: *DCStandbyTimeOut_2*
 -   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
@@ -475,7 +475,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify the system sleep timeout (plugged in)*
+-   GP English name: *Specify the system sleep timeout (plugged in)*
 -   GP name: *ACStandbyTimeOut_2*
 -   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*

windows/client-management/mdm/policy-csp-printers.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Printers
@@ -75,8 +75,9 @@ If you disable this policy setting:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Point and Print Restrictions*
+-   GP English name: *Point and Print Restrictions*
 -   GP name: *PointAndPrint_Restrictions_Win7*
+-   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 
 <!--EndADMX-->
@@ -137,7 +138,7 @@ If you disable this policy setting:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Point and Print Restrictions*
+-   GP English name: *Point and Print Restrictions*
 -   GP name: *PointAndPrint_Restrictions*
 -   GP path: *Control Panel/Printers*
 -   GP ADMX file name: *Printing.admx*
@@ -189,8 +190,9 @@ Note: This settings takes priority over the setting "Automatically publish new p
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow printers to be published*
+-   GP English name: *Allow printers to be published*
 -   GP name: *PublishPrinters*
+-   GP path: *Printers*
 -   GP ADMX file name: *Printing2.admx*
 
 <!--EndADMX-->

windows/client-management/mdm/policy-csp-privacy.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/21/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Privacy
@@ -34,11 +34,11 @@ ms.date: 08/21/2017
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
@@ -48,6 +48,9 @@ ms.date: 08/21/2017
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
 
+> [!Note]  
+> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
+
 <p style="margin-left: 20px">The following list shows the supported values:
 
 -   0 (default)– Not allowed.
@@ -2627,6 +2630,5 @@ Footnote:
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
 -   [Privacy/PublishUserActivities](#privacy-publishuseractivities)  
-
 <!--EndSurfaceHub-->
 

windows/client-management/mdm/policy-csp-remoteassistance.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - RemoteAssistance
@@ -68,7 +68,7 @@ If you do not configure this policy setting, the user sees the default warning m
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Customize warning messages*
+-   GP English name: *Customize warning messages*
 -   GP name: *RA_Options*
 -   GP path: *System/Remote Assistance*
 -   GP ADMX file name: *remoteassistance.admx*
@@ -120,7 +120,7 @@ If you do not configure this setting, application-based settings are used.
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn on session logging*
+-   GP English name: *Turn on session logging*
 -   GP name: *RA_Logging*
 -   GP path: *System/Remote Assistance*
 -   GP ADMX file name: *remoteassistance.admx*
@@ -180,7 +180,7 @@ If you enable this policy setting you should also enable appropriate firewall ex
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Configure Solicited Remote Assistance*
+-   GP English name: *Configure Solicited Remote Assistance*
 -   GP name: *RA_Solicit*
 -   GP path: *System/Remote Assistance*
 -   GP ADMX file name: *remoteassistance.admx*
@@ -263,7 +263,7 @@ Allow Remote Desktop Exception
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Configure Offer Remote Assistance*
+-   GP English name: *Configure Offer Remote Assistance*
 -   GP name: *RA_Unsolicit*
 -   GP path: *System/Remote Assistance*
 -   GP ADMX file name: *remoteassistance.admx*

windows/client-management/mdm/policy-csp-remotedesktopservices.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - RemoteDesktopServices
@@ -68,7 +68,7 @@ You can limit the number of users who can connect simultaneously by configuring
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow users to connect remotely by using Remote Desktop Services*
+-   GP English name: *Allow users to connect remotely by using Remote Desktop Services*
 -   GP name: *TS_DISABLE_CONNECTIONS*
 -   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
 -   GP ADMX file name: *terminalserver.admx*
@@ -128,7 +128,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Set client connection encryption level*
+-   GP English name: *Set client connection encryption level*
 -   GP name: *TS_ENCRYPTION_POLICY*
 -   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
 -   GP ADMX file name: *terminalserver.admx*
@@ -182,7 +182,7 @@ If you do not configure this policy setting, client drive redirection and Clipbo
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not allow drive redirection*
+-   GP English name: *Do not allow drive redirection*
 -   GP name: *TS_CLIENT_DRIVE_M*
 -   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
 -   GP ADMX file name: *terminalserver.admx*
@@ -232,7 +232,7 @@ If you disable this setting or leave it not configured, the user will be able to
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not allow passwords to be saved*
+-   GP English name: *Do not allow passwords to be saved*
 -   GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
 -   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
 -   GP ADMX file name: *terminalserver.admx*
@@ -288,7 +288,7 @@ If you do not configure this policy setting, automatic logon is not specified at
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Always prompt for password upon connection*
+-   GP English name: *Always prompt for password upon connection*
 -   GP name: *TS_PASSWORD*
 -   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
 -   GP ADMX file name: *terminalserver.admx*
@@ -344,7 +344,7 @@ Note: The RPC interface is used for administering and configuring Remote Desktop
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Require secure RPC communication*
+-   GP English name: *Require secure RPC communication*
 -   GP name: *TS_RPC_ENCRYPTION*
 -   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
 -   GP ADMX file name: *terminalserver.admx*

windows/client-management/mdm/policy-csp-remotemanagement.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - RemoteManagement
@@ -56,7 +56,7 @@ ms.date: 08/09/2017
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow Basic authentication*
+-   GP English name: *Allow Basic authentication*
 -   GP name: *AllowBasic_2*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -100,7 +100,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow Basic authentication*
+-   GP English name: *Allow Basic authentication*
 -   GP name: *AllowBasic_1*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -144,7 +144,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow CredSSP authentication*
+-   GP English name: *Allow CredSSP authentication*
 -   GP name: *AllowCredSSP_2*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -188,7 +188,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow CredSSP authentication*
+-   GP English name: *Allow CredSSP authentication*
 -   GP name: *AllowCredSSP_1*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -232,7 +232,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow remote server management through WinRM*
+-   GP English name: *Allow remote server management through WinRM*
 -   GP name: *AllowAutoConfig*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -276,7 +276,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow unencrypted traffic*
+-   GP English name: *Allow unencrypted traffic*
 -   GP name: *AllowUnencrypted_2*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -320,7 +320,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow unencrypted traffic*
+-   GP English name: *Allow unencrypted traffic*
 -   GP name: *AllowUnencrypted_1*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -364,7 +364,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disallow Digest authentication*
+-   GP English name: *Disallow Digest authentication*
 -   GP name: *DisallowDigest*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -408,7 +408,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disallow Negotiate authentication*
+-   GP English name: *Disallow Negotiate authentication*
 -   GP name: *DisallowNegotiate_2*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -452,7 +452,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disallow Negotiate authentication*
+-   GP English name: *Disallow Negotiate authentication*
 -   GP name: *DisallowNegotiate_1*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -496,7 +496,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Disallow WinRM from storing RunAs credentials*
+-   GP English name: *Disallow WinRM from storing RunAs credentials*
 -   GP name: *DisableRunAs*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -540,7 +540,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify channel binding token hardening level*
+-   GP English name: *Specify channel binding token hardening level*
 -   GP name: *CBTHardeningLevel_1*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -584,7 +584,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Trusted Hosts*
+-   GP English name: *Trusted Hosts*
 -   GP name: *TrustedHosts*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -628,7 +628,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn On Compatibility HTTP Listener*
+-   GP English name: *Turn On Compatibility HTTP Listener*
 -   GP name: *HttpCompatibilityListener*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
@@ -672,7 +672,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn On Compatibility HTTPS Listener*
+-   GP English name: *Turn On Compatibility HTTPS Listener*
 -   GP name: *HttpsCompatibilityListener*
 -   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*

windows/client-management/mdm/policy-csp-remoteprocedurecall.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - RemoteProcedureCall
@@ -66,7 +66,7 @@ Note: This policy will not be applied until the system is rebooted.
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Enable RPC Endpoint Mapper Client Authentication*
+-   GP English name: *Enable RPC Endpoint Mapper Client Authentication*
 -   GP name: *RpcEnableAuthEpResolution*
 -   GP path: *System/Remote Procedure Call*
 -   GP ADMX file name: *rpc.admx*
@@ -128,7 +128,7 @@ Note: This policy setting will not be applied until the system is rebooted.
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Restrict Unauthenticated RPC clients*
+-   GP English name: *Restrict Unauthenticated RPC clients*
 -   GP name: *RpcRestrictRemoteClients*
 -   GP path: *System/Remote Procedure Call*
 -   GP ADMX file name: *rpc.admx*

windows/client-management/mdm/policy-csp-remoteshell.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - RemoteShell
@@ -56,7 +56,7 @@ ms.date: 08/09/2017
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Allow Remote Shell Access*
+-   GP English name: *Allow Remote Shell Access*
 -   GP name: *AllowRemoteShellAccess*
 -   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
@@ -100,7 +100,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *MaxConcurrentUsers*
+-   GP English name: *MaxConcurrentUsers*
 -   GP name: *MaxConcurrentUsers*
 -   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
@@ -144,7 +144,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify idle Timeout*
+-   GP English name: *Specify idle Timeout*
 -   GP name: *IdleTimeout*
 -   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
@@ -188,7 +188,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify maximum amount of memory in MB per Shell*
+-   GP English name: *Specify maximum amount of memory in MB per Shell*
 -   GP name: *MaxMemoryPerShellMB*
 -   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
@@ -232,7 +232,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify maximum number of processes per Shell*
+-   GP English name: *Specify maximum number of processes per Shell*
 -   GP name: *MaxProcessesPerShell*
 -   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
@@ -276,7 +276,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify maximum number of remote shells per user*
+-   GP English name: *Specify maximum number of remote shells per user*
 -   GP name: *MaxShellsPerUser*
 -   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
@@ -320,7 +320,7 @@ ADMX Info:
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Specify Shell Timeout*
+-   GP English name: *Specify Shell Timeout*
 -   GP name: *ShellTimeOut*
 -   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*

windows/client-management/mdm/policy-csp-search.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Search

windows/client-management/mdm/policy-csp-security.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Security

windows/client-management/mdm/policy-csp-settings.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Settings

windows/client-management/mdm/policy-csp-smartscreen.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - SmartScreen

windows/client-management/mdm/policy-csp-speech.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Speech

windows/client-management/mdm/policy-csp-start.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Start
@@ -448,10 +448,10 @@ ms.date: 08/09/2017
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
@@ -462,7 +462,10 @@ ms.date: 08/09/2017
 > [!NOTE]
 > This policy requires reboot to take effect.
 
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list.
+<p style="margin-left: 20px">Allows IT Admins to configure Start by collapsing or removing the all apps list.
+
+> [!Note]
+> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. 
 
 <p style="margin-left: 20px">The following list shows the supported values:
 

windows/client-management/mdm/policy-csp-storage.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Storage
@@ -62,7 +62,7 @@ If you disable or do not configure this policy setting, Windows will activate un
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not allow Windows to activate Enhanced Storage devices*
+-   GP English name: *Do not allow Windows to activate Enhanced Storage devices*
 -   GP name: *TCGSecurityActivationDisabled*
 -   GP path: *System/Enhanced Storage Access*
 -   GP ADMX file name: *enhancedstorage.admx*

windows/client-management/mdm/policy-csp-system.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - System
@@ -546,7 +546,7 @@ Also, see the "Turn off System Restore configuration" policy setting. If the "Tu
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off System Restore*
+-   GP English name: *Turn off System Restore*
 -   GP name: *SR_DisableSR*
 -   GP path: *System/System Restore*
 -   GP ADMX file name: *systemrestore.admx*

windows/client-management/mdm/policy-csp-textinput.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - TextInput

windows/client-management/mdm/policy-csp-timelanguagesettings.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - TimeLanguageSettings

windows/client-management/mdm/policy-csp-update.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Update
@@ -46,10 +46,6 @@ ms.date: 08/09/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
 
 > [!NOTE]
@@ -88,10 +84,6 @@ ms.date: 08/09/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
 
 <p style="margin-left: 20px">Supported values are 8-18.
@@ -127,10 +119,6 @@ ms.date: 08/09/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
 
 > [!NOTE]
@@ -169,10 +157,6 @@ ms.date: 08/09/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
 
 <p style="margin-left: 20px">Supported operations are Get and Replace.
@@ -192,6 +176,43 @@ ms.date: 08/09/2017
 
 <p style="margin-left: 20px">If the policy is not configured, end-users get the default behavior (Auto install and restart).
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-allowautowindowsupdatedownloadovermeterednetwork"></a>**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer.  
+
+- 0 (default) - Not allowed
+- 1 - Allowed
+
+A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.
+
+This policy is accessible through the Update setting in the user interface or Group Policy.
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -221,10 +242,6 @@ ms.date: 08/09/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
 
 <p style="margin-left: 20px">The following list shows the supported values:
@@ -261,10 +278,6 @@ ms.date: 08/09/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
 
 <p style="margin-left: 20px">Supported operations are Get and Replace.
@@ -305,10 +318,6 @@ ms.date: 08/09/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
 
 <p style="margin-left: 20px">Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
@@ -387,10 +396,6 @@ ms.date: 08/09/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
 
 <p style="margin-left: 20px">Supported values are 15, 30, 60, 120, and 240 (minutes).
@@ -426,10 +431,6 @@ ms.date: 08/09/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
 
 <p style="margin-left: 20px">The following list shows the supported values:
@@ -466,10 +467,6 @@ ms.date: 08/09/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
 
 <p style="margin-left: 20px">The following list shows the supported values:
@@ -506,8 +503,6 @@ ms.date: 08/09/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
 <p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
 
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
@@ -546,10 +541,6 @@ ms.date: 08/09/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
 
 <p style="margin-left: 20px">Supported values are 0-30.
@@ -584,8 +575,6 @@ ms.date: 08/09/2017
 <!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
 > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
 
 
@@ -683,8 +672,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 <!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
->
 > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
 >
 > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
@@ -729,6 +716,46 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-disabledualscan"></a>**Update/DisableDualScan**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update.  With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
+
+<p style="margin-left: 20px">For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/).
+
+- 0 - allow scan against Windows Update
+- 1 - do not allow update deferral policies to cause scans against Windows Update 
+
+<p style="margin-left: 20px">This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update."
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -758,10 +785,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period.  If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
 
 <p style="margin-left: 20px">Supported values are 2-30 days.
@@ -797,10 +820,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
 
 <p style="margin-left: 20px">Supported values are 1-3 days.
@@ -836,10 +855,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
 
 <p style="margin-left: 20px">Supported values are 2-30 days.
@@ -876,7 +891,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 <!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
 > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
 
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
@@ -1051,8 +1065,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 <!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
 > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
 
 
@@ -1096,8 +1108,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
 <p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
 
 
@@ -1170,9 +1180,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
 
 <p style="margin-left: 20px">The following list shows the supported values:
@@ -1243,8 +1250,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 <!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
 > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
 
 
@@ -1284,11 +1289,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-<br>
-
 > [!NOTE]
 > If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
 
@@ -1331,10 +1331,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
 
 <p style="margin-left: 20px">Supported values are 15, 30, or 60 (minutes).
@@ -1409,10 +1405,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Enables the IT admin to schedule the day of the update installation.
 
 <p style="margin-left: 20px">The data type is a integer.
@@ -1677,10 +1669,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
 
 <p style="margin-left: 20px">The following list shows the supported values:
@@ -1753,9 +1741,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 
 <!--EndSKU-->
 <!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
 > [!Important]  
 > Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
 
@@ -1815,8 +1800,6 @@ Example
 
 <!--EndSKU-->
 <!--StartDescription-->
-> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
 <p style="margin-left: 20px">Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
 
 <p style="margin-left: 20px">This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.

windows/client-management/mdm/policy-csp-wifi.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - Wifi

windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - WindowsDefenderSecurityCenter

windows/client-management/mdm/policy-csp-windowsinkworkspace.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - WindowsInkWorkspace

windows/client-management/mdm/policy-csp-windowslogon.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - WindowsLogon
@@ -62,7 +62,7 @@ If you disable or do not configure this policy setting, users can choose which a
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Turn off app notifications on the lock screen*
+-   GP English name: *Turn off app notifications on the lock screen*
 -   GP name: *DisableLockScreenAppNotifications*
 -   GP path: *System/Logon*
 -   GP ADMX file name: *logon.admx*
@@ -112,7 +112,7 @@ If you disable or don't configure this policy setting, any user can disconnect t
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Do not display network selection UI*
+-   GP English name: *Do not display network selection UI*
 -   GP name: *DontDisplayNetworkSelectionUI*
 -   GP path: *System/Logon*
 -   GP ADMX file name: *logon.admx*

windows/client-management/mdm/policy-csp-wirelessdisplay.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/09/2017
+ms.date: 08/30/2017
 ---
 
 # Policy CSP - WirelessDisplay

windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -457,7 +457,7 @@ To turn off Live Tiles:
     
 -   Create a REG\_DWORD registry setting called **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one).
 
-You must also unpin all tiles that are pinned to Start.
+In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
 
 ### <a href="" id="bkmk-mailsync"></a>10. Mail synchronization
 
@@ -1261,7 +1261,7 @@ To turn off **Let apps read or send messages (text or MMS)**:
 
      -or-
 
--   Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two).
+-   Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two).
 
 To turn off **Choose apps that can read or send messages**:
 

windows/configuration/set-up-a-device-for-anyone-to-use.md

@@ -1,89 +0,0 @@
----
-title: Set up a device for anyone to use in kiosk mode (Windows 10)
-description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
-ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
-keywords: ["kiosk", "lockdown", "assigned access"]
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: jdeckerms
-ms.localizationpriority: high
----
-
-# Set up a device for anyone to use (kiosk mode)
-
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-**Looking for Windows Embedded 8.1 Industry information?**
-
--   [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653)
-
-You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.
-
-Do you need a computer that can only do one thing? For example:
-
--   A device in the lobby that customers can use to view your product catalog.
-
--   A portable device that drivers can use to check a route on a map.
-
--   A device that a temporary worker uses to enter data.
-
-The following table identifies the type of application that can be used on each Windows 10 edition to create a kiosk device.
-
-> [!NOTE]  
-> A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
-
- 
-
-| Windows 10 edition | Universal Windows app              | Classic Windows application          |
-|--------------------|------------------------------------|--------------------------------------|
-| Mobile             | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
-| Mobile Enterprise  | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
-| Pro                | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
-| Enterprise         | ![supported](images/checkmark.png) | ![supported](images/checkmark.png)   |
-| Education          | ![supported](images/checkmark.png) | ![supported](images/checkmark.png)   |
-
- 
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)</p></td>
-<td align="left"><p>A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the <strong>assigned access</strong> feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use <strong>Shell Launcher</strong> to set a custom user interface as the shell.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)</p></td>
-<td align="left"><p>A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.</p></td>
-</tr>
-</tbody>
-</table>
-
- ## Learn more
-
-[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
-
- 
-
- 
-
-
-
-
-

windows/deployment/TOC.md

@@ -221,6 +221,9 @@
 ### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
 #### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md)
 #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
+#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md)
+##### [Keep your current Windows 10 edition](update/olympia/enrollment-keep-current-edition.md)
+##### [Upgrade your Windows 10 edition from Pro to Enterprise](update/olympia/enrollment-upgrade-to-enterprise.md)
 ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
 
 ## Windows Analytics

windows/deployment/deploy-enterprise-licenses.md

@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 

windows/deployment/deploy-whats-new.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
+ms.date: 08/23/2017
 author: greg-lindsay
 ---
 

windows/deployment/deploy.md

@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: high
+ms.date: 09/05/2017
 author: greg-lindsay
 ---